# gitleaks configuration.
# Keeps gitleaks' default ruleset and adds an allowlist for known FALSE POSITIVES
# that surfaced once the CI checkout was fixed (secret-scan had never actually run
# on a PR before). Real leaked credentials are removed in code, NOT allowlisted.

[extend]
useDefault = true

[allowlist]
description = "Documentation curl examples, env templates, and non-secret identifiers"
paths = [
  # API reference pages — curl examples with placeholder tokens, not real secrets
  '''developer-portal/app/api/.*''',
  '''developer-portal/app/development/.*''',
  # Template env file — placeholder dev values (e.g. breakpilot123)
  '''\.env\.example$''',
  # Seed data: "rule_key" identifiers, not credentials
  '''backend-compliance/compliance/data/template_rule_seed_data\.py$''',
  # SDK deploy template — MINIO placeholder password
  '''breakpilot-compliance-sdk/packages/cli/src/commands/deploy\.ts$''',
]