nhsbsaShinyR/gitleaks.toml at main · nhsbsa-data-analytics/nhsbsaShinyR · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# This gitleaks config extends the default config by adding rules specific to us.
# The default config can be found at:
# https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml

title = "Gitleaks NHSBSA"
[extend]
useDefault = true

# =================================================================
# Rule for detecting National Health Service (NHS) numbers
# This version uses word boundaries to avoid matching numbers that are
# part of a longer numeric string.
# =================================================================
[[rules]]
id = "nhs-number"
description = "Potential NHS Number found. This is a 10-digit identifier for patients in the UK."

# This regex uses word boundaries (\b) to ensure the number is not part of a
# larger string of digits. It allows for multiple spaces or hyphens as separators.
regex = '''\b\d{3}[ -]*\d{3}[ -]*\d{4}\b'''

tags = ["secret", "pii", "nhs"]

# =================================================================
# Detects database connection strings as used by DALL. The rule is flexible,
# handling case-insensitivity, various spacing, and both '=' and ':' as separators,
# making it effective for property files, YAML, and other formats.
# =================================================================
[[rules]]
id = "database-connection-strings"
description = "Potential database connection string found."

# This regex is designed to be highly robust:
# (?i)           - Case-insensitive match.
# \s*[=:]\s*     - Allows for a colon or equals sign, with any amount of whitespace.
# ["'][^"']+["'] - Captures values in single or double quotes.
regex = '''(?i)(password|pwd|user(name)?|uid)\s*[=:]\s*["'][^"']+["']'''

tags = ["secret", "credential", "database"]