{"id":17596031,"url":"https://github.com/jairtorres1003/eslint-plugin-sensitive-env","last_synced_at":"2026-02-12T16:05:41.747Z","repository":{"id":258720718,"uuid":"875077267","full_name":"JairTorres1003/eslint-plugin-sensitive-env","owner":"JairTorres1003","description":"ESLint plugin to prevent sensitive values from being hardcoded in the codebase","archived":false,"fork":false,"pushed_at":"2025-02-11T19:16:05.000Z","size":345,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-12T13:23:40.935Z","etag":null,"topics":["environment","eslint","eslint-plugin","npm","secrets","security","sensitive"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/eslint-plugin-sensitive-env","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JairTorres1003.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["JairTorres1003"],"patreon":"JairTorres","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2024-10-19T03:36:22.000Z","updated_at":"2024-10-31T03:46:46.000Z","dependencies_parsed_at":"2024-12-10T07:41:15.597Z","dependency_job_id":"6bf09cb2-0ca6-40ca-b97f-cee465636e9e","html_url":"https://github.com/JairTorres1003/eslint-plugin-sensitive-env","commit_stats":{"total_commits":34,"total_committers":1,"mean_commits":34.0,"dds":0.0,"last_synced_commit":"23ec53bf4155ee56ae918c82b8952e61daddd596"},"previous_names":["jairtorres1003/eslint-plugin-sensitive-env"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JairTorres1003%2Feslint-plugin-sensitive-env","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JairTorres1003%2Feslint-plugin-sensitive-env/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JairTorres1003%2Feslint-plugin-sensitive-env/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JairTorres1003%2Feslint-plugin-sensitive-env/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JairTorres1003","download_url":"https://codeload.github.com/JairTorres1003/eslint-plugin-sensitive-env/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248688575,"owners_count":21145765,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["environment","eslint","eslint-plugin","npm","secrets","security","sensitive"],"created_at":"2024-10-22T08:07:13.663Z","updated_at":"2026-02-12T16:05:41.715Z","avatar_url":"https://github.com/JairTorres1003.png","language":"TypeScript","funding_links":["https://github.com/sponsors/JairTorres1003","https://patreon.com/JairTorres"],"categories":[],"sub_categories":[],"readme":"# eslint-plugin-sensitive-env [![npm](https://img.shields.io/npm/v/eslint-plugin-sensitive-env)](https://www.npmjs.com/package/eslint-plugin-sensitive-env)\n\nAn ESLint plugin designed to prevent hardcoded sensitive values in your code. This plugin ensures that sensitive values, such as API keys, tokens, passwords, and other environment-specific data, are stored in environment variables instead of being hardcoded into the source code.\n\n## Features\n\n- Detects hardcoded sensitive values based on `.env` files.\n- Supports `.env` files to define environment variables.\n- Allows configuration of environment files and control over which keys and values are checked.\n- Ignores specific keys or values when configured.\n- Predefined non-sensitive values (e.g., 'false', 'null', 'true') are automatically excluded from checks.\n\n## Installation\n\nTo install the plugin, run the following command:\n\n```bash\nnpm install eslint-plugin-sensitive-env --save-dev\n```\n\nor using `yarn`:\n\n```bash\nyarn add eslint-plugin-sensitive-env --dev\n```\n\n## Usage\n\nAdd the plugin to your ESLint configuration:\n\n```json\n{\n  \"plugins\": [\"sensitive-env\"],\n  \"rules\": {\n    \"sensitive-env/no-hardcoded-values\": \"error\"\n  }\n}\n```\n\n### Rule Options\n\nThe `no-hardcoded-values` rule provides flexible configuration options:\n\n- `envFile` (optional): The path to the environment file where sensitive values are stored.\n\n  - If no file is provided, the plugin will search for one of the following files:\n    ```json\n    [\n      \".env.production\",\n      \".env.development\",\n      \".env.local\",\n      \".env\",\n      \".env.local.example\",\n      \".env.example\"\n    ]\n    ```\n\n- `ignore` (optional): An array of uppercase strings representing the environment variable names (keys) to ignore.\n\n  - The rule will not flag hardcoded values of ignored keys.\n\n- `noSensitiveValues` (optional): An array of strings representing specific values to ignore as non-sensitive.\n\n  - The rule will not flag these values even if they match a key from the environment file.\n  - By default, the following values are ignored:\n    ```json\n    [\n      \"false\",\n      \"null\",\n      \"true\",\n      \"undefined\",\n      \"unknown\",\n      \"nan\",\n      \"infinity\",\n      \"-infinity\",\n      \"1234567890\",\n      \"9876543210\"\n    ]\n    ```\n  - Additionally, dates in string format (e.g., `2024-10-20` or `10/20/2024`) are not considered sensitive. Numerical representations of dates (e.g., `1729464561272`) are allowed.\n  - URLs defined in environment files are checked based on the hostname to determine if they contain sensitive information.\n  - Values with 4 or fewer characters are not considered sensitive.\n\n### Example Configuration\n\n```json\n{\n  \"rules\": {\n    \"sensitive-env/no-hardcoded-values\": [\n      \"error\",\n      {\n        \"envFile\": \".env\",\n        \"ignore\": [\"PUBLIC_LOCALHOST\"],\n        \"noSensitiveValues\": [\"myPublicValue\"]\n      }\n    ]\n  }\n}\n```\n\nIn this configuration:\n\n- `.env` is used as the environment file.\n- The rule will ignore any hard-coded value for the key that contains `PUBLIC_LOCALHOST`.\n- The value `myPublicValue` will not be flagged as sensitive, regardless of where it appears.\n\n## Rule Details\n\nThe `no-hardcoded-values` rule checks for sensitive values that should be stored in environment variables instead of being hardcoded. It works by reading an environment file (e.g., `.env`) and matching values defined by the specified options.\n\nIf the environment file does not exist or cannot be found, the rule will produce a warning with the message:\n\n```\nThe environment file \u003cenvFile\u003e does not exist.\n```\n\nIf a hardcoded sensitive value is found, the following error message will be reported:\n\n```\nDo not hardcode sensitive values. Use environment variables instead.\n```\n\n### Ignoring Specific Keys and Values\n\nYou can customize the behavior of the plugin by defining which keys and values to ignore.\n\n### Example: Ignoring Specific Keys\n\n```json\n{\n  \"rules\": {\n    \"sensitive-env/no-hardcoded-values\": [\n      \"error\",\n      {\n        \"ignore\": [\"PASSWORD\", \"SECRET\"]\n      }\n    ]\n  }\n}\n```\n\nIn this case, values for `PASSWORD` and `SECRET` will be ignored, but other keys will still be checked.\n\n### Example: Ignoring Specific Values\n\n```json\n{\n  \"rules\": {\n    \"sensitive-env/no-hardcoded-values\": [\n      \"error\",\n      {\n        \"noSensitiveValues\": [\"myPublicValue\", \"someOtherSafeValue\"]\n      }\n    ]\n  }\n}\n```\n\nHere, `myPublicValue` and `someOtherSafeValue` will not be flagged, even if they appear as hardcoded values.\n\n## Testing\n\nTo run the tests for this plugin:\n\n```bash\nnpm test\n```\n\n## Contributing\n\nContributions, issues, and feature requests are welcome! Feel free to check out [the issues page](https://github.com/JairTorres1003/eslint-plugin-sensitive-env/issues) if you have suggestions or encounter problems.\n\n### License\n\nThis project is licensed under the MIT License. See the [LICENSE](LICENSE) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjairtorres1003%2Feslint-plugin-sensitive-env","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjairtorres1003%2Feslint-plugin-sensitive-env","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjairtorres1003%2Feslint-plugin-sensitive-env/lists"}