# gitleaks configuration for explorer-monorepo.
#
# Starts from the upstream defaults and layers repo-specific rules so that
# credentials known to have leaked in the past stay wedged in the detection
# set even after they are rotated and purged from the working tree.
#
# See docs/SECURITY.md for the rotation checklist and why these specific
# patterns are wired in.

[extend]
useDefault = true

[[rules]]
id = "explorer-legacy-db-password-L@ker"
description = "Legacy hardcoded Postgres / SSH password (redacted). Matches both the expanded form and the shell-escaped form (backslash-dollar) that appeared in scripts/setup-database.sh."
regex = '''L@kers?\\?\$?2010'''
tags = ["password", "explorer-legacy"]

[allowlist]
description = "Expected non-secret references to the legacy password in rotation docs."
paths = [
  '''^docs/SECURITY\.md$''',
  '''^CHANGELOG\.md$''',
]