{"id":13702045,"url":"https://github.com/bahmutov/ban-sensitive-files","last_synced_at":"2025-09-29T00:32:59.946Z","repository":{"id":2701127,"uuid":"47205638","full_name":"bahmutov/ban-sensitive-files","owner":"bahmutov","description":"Checks filenames to be committed against a library of filename rules to prevent sensitive files in Git","archived":false,"fork":false,"pushed_at":"2025-09-25T19:06:57.000Z","size":1268,"stargazers_count":67,"open_issues_count":15,"forks_count":8,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-09-25T21:23:06.934Z","etag":null,"topics":["check","node","npm","security","sensor"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bahmutov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2015-12-01T17:22:46.000Z","updated_at":"2025-09-20T08:41:36.000Z","dependencies_parsed_at":"2023-11-18T11:23:26.710Z","dependency_job_id":"5e181a9f-9928-4b79-a9f6-713e269c4891","html_url":"https://github.com/bahmutov/ban-sensitive-files","commit_stats":{"total_commits":318,"total_committers":10,"mean_commits":31.8,"dds":0.4056603773584906,"last_synced_commit":"b1ab258e1ab9a9176ac214a2f0c460ca516d9de7"},"previous_names":[],"tags_count":47,"template":false,"template_full_name":null,"purl":"pkg:github/bahmutov/ban-sensitive-files","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bahmutov%2Fban-sensitive-files","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bahmutov%2Fban-sensitive-files/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bahmutov%2Fban-sensitive-files/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bahmutov%2Fban-sensitive-files/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bahmutov","download_url":"https://codeload.github.com/bahmutov/ban-sensitive-files/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bahmutov%2Fban-sensitive-files/sbom","scorecard":{"id":223279,"data":{"date":"2025-08-11","repo":{"name":"github.com/bahmutov/ban-sensitive-files","commit":"a47a498b836c6a61a7517806ef5be50504ac48d0"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/28 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":4,"reason":"5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/bahmutov/ban-sensitive-files/ci.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/bahmutov/ban-sensitive-files/ci.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/bahmutov/ban-sensitive-files/ci.yml/master?enable=pin","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/ci.yml:4"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"29 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-gxpj-cx7g-858c","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-62cx-5xj4-wfm4","Warn: Project is vulnerable to: GHSA-pr45-cg4x-ff4m","Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97","Warn: Project is vulnerable to: GHSA-w5mw-f2hq-5fw8","Warn: Project is vulnerable to: GHSA-p6mc-m468-83gw","Warn: Project is vulnerable to: GHSA-29mw-wpgm-hmr9","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-vh95-rmgr-6w4m","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-8hfj-j24r-96c4","Warn: Project is vulnerable to: GHSA-wc69-rhjr-hc9g","Warn: Project is vulnerable to: GHSA-56x4-j7p9-fcf9","Warn: Project is vulnerable to: GHSA-v78c-4p63-2j6c","Warn: Project is vulnerable to: GHSA-4p35-cfcx-8653","Warn: Project is vulnerable to: GHSA-7f3x-x4pr-wqhj","Warn: Project is vulnerable to: GHSA-jpp7-7chh-cf67","Warn: Project is vulnerable to: GHSA-q6wq-5p59-983w","Warn: Project is vulnerable to: GHSA-j9fq-vwqv-2fm2","Warn: Project is vulnerable to: GHSA-pqw5-jmp5-px4v","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T03:06:45.848Z","repository_id":2701127,"created_at":"2025-08-17T03:06:45.848Z","updated_at":"2025-08-17T03:06:45.848Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":277095765,"owners_count":25760027,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-26T02:00:09.010Z","response_time":78,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["check","node","npm","security","sensor"],"created_at":"2024-08-02T21:00:30.401Z","updated_at":"2025-09-29T00:32:59.576Z","avatar_url":"https://github.com/bahmutov.png","language":"JavaScript","funding_links":[],"categories":["Static Code Analysis"],"sub_categories":[],"readme":"# ban-sensitive-files\n\n\u003e Checks filenames to be committed against a library of filename rules\n\u003e to prevent storing sensitive files in Git.\n\u003e Checks some files for sensitive contents (for example authToken inside .npmrc file)\n\n[![NPM][ban-sensitive-files-icon] ][ban-sensitive-files-url]\n\n[![Build status][ban-sensitive-files-ci-image] ][ban-sensitive-files-ci-url]\n\n[![semantic-release][semantic-image] ][semantic-url]\n[![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/)\n[![alternate](https://img.shields.io/badge/manpm-%E2%9C%93-3399ff.svg)](https://github.com/bahmutov/manpm) [![renovate-app badge][renovate-badge]][renovate-app]\n\nNote: the source file with rules was taken from file\n[git-deny-patterns.json](https://github.com/jandre/safe-commit-hook/blob/master/git-deny-patterns.json)\nfrom repo [jandre/safe-commit-hook](https://github.com/jandre/safe-commit-hook) on Dec 2015.\n\n## Motivation\n\nCan you accidentally add `id_rsa` file to your Github? Sure!\nBut remember, it will be [very hard](https://help.github.com/articles/remove-sensitive-data/) to remove\ntraces of them later. [Most popular NPM packages have leaked sensitive information by mistake][1].\n\nWouldn't be easier to never commit files that should not be committed in the first place?\nThis project is a easy to use CLI or git pre-commit hook filter that will scrape modified or added\nfilenames to make sure they do not match widely common patterns (`.pem`, etc.)\n\n[1]: https://github.com/ChALkeR/notes/blob/master/Do-not-underestimate-credentials-leaks.md\n\nFor example, here is `ban` in action - stopping me from adding NPM registry `_authToken` to\n`.npmrc` file\n\n[![asciicast](https://asciinema.org/a/33377.png)](https://asciinema.org/a/33377)\n\n## Install\n\nAdd to your project `npm install --save-dev ban-sensitive-files`\n\n## Use\n\n* From the command line `node node_modules/.bin/ban` when you have any staged files\n  to check their filenames.\n\n* From NPM script\n\n```json\n\"scripts\": {\n  \"ban\": \"ban\"\n}\n```\n\nThen run `npm run ban` to check modified, added or deleted filenames.\nYou can check ALL repo filenames again by adding command line flag `-f` to form the full command\n`npm run ban -- -f`.\n\n* When using from other Git hook projects, for example from [pre-git](https://github.com/bahmutov/pre-git),\n  first, add \"ban\" NPM script command, then add to the `pre-commit` command list\n\n```json\n\"config\": {\n  \"pre-git\": {\n    \"pre-commit\": [\n      \"npm test\",\n      \"npm run ban\"\n    ]\n  }\n}\n```\n\n* When using from a CI you probably want to check all files in the repo, not just\nthe changed ones. Pass `-f` or `--all` option. Example Travis file\n\n```yaml\nscript:\n  - npm run ban -- --all\n  - npm test\n```\n\n## Use as a module\n\nYou can use the checker from another module\n\n```js\nvar isBanned = require('ban-sensitive-files');\nisBanned('path/file/name');\n// checks single file, returns true or false\n// prints any errors to console.error\nisBanned(['name1', 'name2', 'name3']);\n// checks list of files\nisBanned('file/name', logger);\n// use provided logger function instead of console.error\n```\n\n## Advanced\n\nTo figure out what the script is doing, enable debug logging\n\n    DEBUG=ban npm run ban\n\n### Small print\n\nAuthor: Gleb Bahmutov \u0026copy; 2015\n\n* [@bahmutov](https://twitter.com/bahmutov)\n* [glebbahmutov.com](https://glebbahmutov.com)\n* [blog](https://glebbahmutov.com/blog/)\n\nLicense: MIT - do anything with the code, but don't blame me if it does not work.\n\nSpread the word: tweet, star on github, etc.\n\nSupport: if you find any problems with this module, email / tweet /\n[open issue](https://github.com/bahmutov/ban-sensitive-files/issues) on Github\n\n## MIT License\n\nCopyright (c) 2015 Gleb Bahmutov\n\nPermission is hereby granted, free of charge, to any person\nobtaining a copy of this software and associated documentation\nfiles (the \"Software\"), to deal in the Software without\nrestriction, including without limitation the rights to use,\ncopy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the\nSoftware is furnished to do so, subject to the following\nconditions:\n\nThe above copyright notice and this permission notice shall be\nincluded in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND,\nEXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES\nOF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT\nHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,\nWHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\nFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR\nOTHER DEALINGS IN THE SOFTWARE.\n\n[ban-sensitive-files-icon]: https://nodei.co/npm/ban-sensitive-files.svg?downloads=true\n[ban-sensitive-files-url]: https://npmjs.org/package/ban-sensitive-files\n[ban-sensitive-files-ci-image]: https://github.com/bahmutov/ban-sensitive-files/workflows/ci/badge.svg?branch=master\n[ban-sensitive-files-ci-url]: https://github.com/bahmutov/ban-sensitive-files/actions\n[semantic-image]: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg\n[semantic-url]: https://github.com/semantic-release/semantic-release\n[renovate-badge]: https://img.shields.io/badge/renovate-app-blue.svg\n[renovate-app]: https://renovateapp.com/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbahmutov%2Fban-sensitive-files","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbahmutov%2Fban-sensitive-files","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbahmutov%2Fban-sensitive-files/lists"}