Based off the well established Yelp detect-secrets (please go check them out if your using python!), secret-scanner aims to provide a similiar experience within the node realm.
With NPM
npm install --save-dev secret-scanner
or with yarn
yarn add --dev secret-scanner
secret-scanner scan
to generate baseline filesecret-scanner audit
the baseline file check if secrets should be committed to repo- Add
secret-scanner scan -h
to your pre-commit to stop newly added secrets
For example with husky on a NPM repo
npm install husky --save-dev
npx husky install
npm set-script prepare "husky install"
npx husky add .husky/pre-commit "secret-scanner scan -h"
To include the following configurations, you'll need to create a new secret-scanner configuration file and add the configurations there. To do so, follow the conventions outlined in the Cosmiconfig repository.
By default, Cosmiconfig will check the current directory for the following:
- a package.json property
- a JSON or YAML, extensionless "rc file"
- an "rc file" with the extensions .json, .yaml, .yml, .js, .ts, .mjs, or .cjs
- any of the above two inside a .config subdirectory
- a .config.js, .config.ts, .config.mjs, or .config.cjs file
For example: create a new file in the project root directory entitled .secret-scannerrc
.
{
"disable_plugins": ["AWS", "Keyword", "Slack", "Stripe", "Twilio"]
}
Excluding Lines is as easy as writing the line to be excluded or a regex.
Under the hood it uses regex all the same to match
{
"exclude": {
"lines": ["example line", "[a-z0-9]-regex-line"]
}
}
secret-scanner uses fast-glob for excluding files
{
"exclude": {
"files": [
"**/fileToIgnore.js", // Ignore any instance of file anywhere
"directory/fileToIgnore.js" // Ignore file in directory
"**/*.js" // Ignore any JS file in any directory
]
}
}
Excluding secrets is as easy as writing the secret to be excluded or a regex.
Under the hood it uses regex all the same to match
{
"exclude": {
"secrets": ["sample-secret", "[a-z0-9]-regex-secret"]
}
}
secret-scanner.js scan
Scans directories / scans committed files
Options:
--version Show version number [boolean]
--help Show help [boolean]
-h, --hook Used for pre-hooks
-l, --location Location to scan using glob pattern, default is current
working dir [default: "D:\Code\tester/**"]
-d, --debug
secret-scanner.js audit
Audit the baseline file
Options:
--version Show version number [boolean]
--help Show help [boolean]