title = "Veza gitleaks config"

# Inherit gitleaks v8 default ruleset
[extend]
useDefault = true

# Project-wide allowlist
#
# Rationale:
#   - *_test.go files contain fake JWTs (eyJ...invalid_signature) used to
#     exercise auth failure paths. They are NOT real credentials.
#   - The .backup-pre-uuid-migration/ directory existed in older commits
#     (fa2087258, 2425c15b0) but was already removed from HEAD. Gitleaks
#     scans full git history by default, so we still need to allowlist it.
#   - test fixture secrets (test-jwt-secret, etc.) are deterministic strings
#     never used outside of test setup.
[allowlist]
description = "Allowlist test fixtures and historical migration backup dirs"
paths = [
    '''.*_test\.go$''',
    '''.*\.backup-pre-uuid-migration/.*''',
    '''veza-backend-api/internal/services/\.backup-pre-uuid-migration/.*''',
]
stopwords = [
    "invalid_signature",
    "test-jwt-secret",
    "test-secret",
    "test-internal-api-key",
]