feat(gitleaks): add centralized config distribution

- Add gitleaks.base.toml with base rules from deckhouse/deckhouse
- Copy centralized config to ${RUNNER_TEMP} (safe for Werf/giterminism)
- Update config detection logic to use centralized config by default
- Support local .gitleaks.toml for repository-specific customization

This enables centralized rule management while keeping git state clean.

Signed-off-by: Roman Trofimenkov <roman.trofimenkov@flant.com>

Author: rtrofimenkov-ssdlc

gitleaks/action.yml

@@ -51,17 +51,33 @@ runs:
         echo "$install_dir" >> "$GITHUB_PATH"
         gitleaks version
 
+    - name: Setup centralized config
+      shell: bash
+      run: |
+        set -euo pipefail
+        # Copy centralized config to temporary directory (safe for Werf/giterminism)
+        BASE_CONFIG="${{ github.action_path }}/config/gitleaks.base.toml"
+        if [[ -f "$BASE_CONFIG" ]]; then
+          cp "$BASE_CONFIG" "${RUNNER_TEMP}/gitleaks.base.toml"
+          echo "✅ Centralized config copied to ${RUNNER_TEMP}/gitleaks.base.toml"
+        else
+          echo "⚠️  Warning: Centralized config not found at $BASE_CONFIG"
+          exit 1
+        fi
+
     - name: Check for optional config
       id: config
       shell: bash
       run: |
         set -euo pipefail
-        if [[ -f "gitleaks.toml" ]]; then
-          echo "config_arg=-c gitleaks.toml" >> "$GITHUB_OUTPUT"
-          echo "✅ Found config: gitleaks.toml"
+        if [[ -f ".gitleaks.toml" ]]; then
+          # Local config exists - it should extend the centralized one
+          echo "config_arg=--config .gitleaks.toml" >> "$GITHUB_OUTPUT"
+          echo "✅ Found local config: .gitleaks.toml (should extend base config)"
         else
-          echo "config_arg=" >> "$GITHUB_OUTPUT"
-          echo "⚠️ Config file not found. Proceeding with default rules."
+          # Use centralized config only
+          echo "config_arg=--config ${RUNNER_TEMP}/gitleaks.base.toml" >> "$GITHUB_OUTPUT"
+          echo "🔹 Using centralized config only (no local customization)"
         fi
 
     - name: Gitleaks scan (full)

gitleaks/config/gitleaks.base.toml

@@ -0,0 +1,57 @@
+# Centralized Gitleaks configuration for all Deckhouse repositories
+# This file is distributed via modules-actions/gitleaks action
+# 
+# Repositories can extend this config by creating local .gitleaks.toml:
+#   [extend]
+#   useDefault = false
+#   path = "${RUNNER_TEMP}/gitleaks.base.toml"
+
+# Use default Gitleaks rules
+[extend]
+useDefault = true
+
+# Global allowlists
+[allowlist]
+
+# === Safe files/directories ===
+# NOTE: Use exact paths, NOT glob patterns like **/go.mod
+
+paths = [
+    # Go dependencies - public hashes
+    "go.mod",
+    "go.sum",
+    
+    # Specific files with known false positives
+    # "modules/101-cert-manager/docs/USAGE.md",
+    # "modules/101-cert-manager/docs/USAGE_RU.md",
+]
+
+# === Safe patterns ===
+regexes = [
+    # Go module checksums - always public
+    '''h1:[A-Za-z0-9+/=]{40,}''',
+    
+    # Public certificates (only ca.crt, NOT private keys!)
+    '''data:\s*\n\s*ca\.crt:\s*[A-Za-z0-9+/=\s]+''',
+    
+    # AWS Example values from official documentation - exact match
+    '''AKIAIOSFODNN7EXAMPLE''',
+    '''wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY''',
+]
+
+# Custom rules for hashi/openbao/werf tokens
+[[rules]]
+id = "werf-secret-key"
+description = "Identified a Werf Secret Key."
+regex = '''\b([a-f0-9]{32})\b'''
+path = '''\.werf_secret_key$'''
+
+[[rules]]
+id = "hashicorp-vault-token"
+description = "Identified a HashiCorp Vault token (hvs, hvb, or hvr prefix)."
+regex = '''\b(hv[sbr]\.[A-Za-z0-9_-]{20,})\b'''
+
+[[rules]]
+id = "openbao-token"
+description = "Identified an OpenBao token (S. prefix)."
+regex = '''\b(S\.[A-Za-z0-9_-]{20,})\b'''