{"id":13801800,"url":"https://github.com/nickdeis/eslint-plugin-no-secrets","last_synced_at":"2025-05-15T18:03:14.415Z","repository":{"id":34387505,"uuid":"178314809","full_name":"nickdeis/eslint-plugin-no-secrets","owner":"nickdeis","description":"An eslint plugin to find strings that might be secrets/credentials","archived":false,"fork":false,"pushed_at":"2025-02-02T02:54:09.000Z","size":502,"stargazers_count":145,"open_issues_count":7,"forks_count":5,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-31T22:18:12.705Z","etag":null,"topics":["eslint","eslint-plugin","eslint-rules","security","security-tools"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nickdeis.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-29T02:07:40.000Z","updated_at":"2025-03-24T11:31:57.000Z","dependencies_parsed_at":"2024-01-02T23:43:09.590Z","dependency_job_id":"080136cc-013e-4722-9255-3ff0fe688835","html_url":"https://github.com/nickdeis/eslint-plugin-no-secrets","commit_stats":{"total_commits":37,"total_committers":3,"mean_commits":"12.333333333333334","dds":0.1351351351351351,"last_synced_commit":"f257a07c3415f17705b75db66f437f34ae6f280b"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickdeis%2Feslint-plugin-no-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickdeis%2Feslint-plugin-no-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickdeis%2Feslint-plugin-no-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nickdeis%2Feslint-plugin-no-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nickdeis","download_url":"https://codeload.github.com/nickdeis/eslint-plugin-no-secrets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247744333,"owners_count":20988783,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["eslint","eslint-plugin","eslint-rules","security","security-tools"],"created_at":"2024-08-04T00:01:27.596Z","updated_at":"2025-04-07T23:07:12.106Z","avatar_url":"https://github.com/nickdeis.png","language":"TypeScript","funding_links":[],"categories":["TypeScript","Plugins"],"sub_categories":["Security"],"readme":"[![Build Status](https://github.com/nickdeis/eslint-plugin-no-secrets/actions/workflows/main.yml/badge.svg)](https://github.com/nickdeis/eslint-plugin-no-secrets/actions/workflows/main.yml/badge.svg)\n\n# eslint-plugin-no-secrets\n\nAn eslint rule that searches for potential secrets/keys in code and JSON files.\n\nThis plugin has two rules:\n\n- `no-secrets`: Find potential secrets using cryptographic entropy or patterns in the AST (acts like a standard eslint rule, more configurable)\n- `no-pattern-match`: Find potential secrets in text (acts like `grep`, less configurable, but potentially more flexible)\n\n---\n\n\u003c!-- vscode-markdown-toc --\u003e\n\n- 1. [Usage](#Usage)\n - 1.1. [Flat config](#Flatconfig)\n - 1.2. [eslintrc](#eslintrc)\n - 1.3. [Include JSON files](#IncludeJSONfiles)\n - 1.3.1. [Include JSON files with in \"flat configs\"](#IncludeJSONfileswithinflatconfigs)\n- 2. [`no-secrets`](#no-secrets)\n - 2.1. [`no-secrets` examples](#no-secretsexamples)\n - 2.2. [When it's really not a secret](#Whenitsreallynotasecret)\n - 2.2.1. [ Either disable it with a comment](#Eitherdisableitwithacomment)\n - 2.2.2. [ use the `ignoreContent` to ignore certain content](#usetheignoreContenttoignorecertaincontent)\n - 2.2.3. [ Use `ignoreIdentifiers` to ignore certain variable/property names](#UseignoreIdentifierstoignorecertainvariablepropertynames)\n - 2.2.4. [ Use `additionalDelimiters` to further split up tokens](#UseadditionalDelimiterstofurthersplituptokens)\n - 2.3. [`no-secrets` Options](#no-secretsOptions)\n- 3. [`no-pattern-match`](#no-pattern-match)\n - 3.1. [`no-pattern-match` options](#no-pattern-matchoptions)\n- 4. [Acknowledgements](#Acknowledgements)\n\n\u003c!-- vscode-markdown-toc-config\n\tnumbering=true\n\tautoSave=true\n\t/vscode-markdown-toc-config --\u003e\n\u003c!-- /vscode-markdown-toc --\u003e\n\n## 1. \u003ca name='Usage'\u003e\u003c/a\u003eUsage\n\n`npm i -D eslint-plugin-no-secrets`\n\n### 1.1. \u003ca name='Flatconfig'\u003e\u003c/a\u003eFlat config\n\n_eslint.config.js_\n\n```js\nimport noSecrets from \"eslint-plugin-no-secrets\";\n\nexport default [\n {\n files: [\"**/*.js\"],\n plugins: {\n \"no-secrets\": noSecrets,\n },\n rules: {\n \"no-secrets/no-secrets\": \"error\",\n },\n },\n];\n```\n\n### 1.2. \u003ca name='eslintrc'\u003e\u003c/a\u003eeslintrc\n\n_.eslintrc_\n\n```json\n{\n \"plugins\": [\"no-secrets\"],\n \"rules\": {\n \"no-secrets/no-secrets\": \"error\"\n }\n}\n```\n\n```js\n//Found a string with entropy 4.3 : \"ZWVTjPQSdhwRgl204Hc51YCsritMIzn8B=/p9UyeX7xu6KkAGqfm3FJ+oObLDNEva\"\nconst A_SECRET =\n \"ZWVTjPQSdhwRgl204Hc51YCsritMIzn8B=/p9UyeX7xu6KkAGqfm3FJ+oObLDNEva\";\n//Found a string that matches \"AWS API Key\" : \"AKIAIUWUUQQN3GNUA88V\"\nconst AWS_TOKEN = \"AKIAIUWUUQQN3GNUA88V\";\n```\n\n### 1.3. \u003ca name='IncludeJSONfiles'\u003e\u003c/a\u003eInclude JSON files\n\nTo include JSON files, install `eslint-plugin-jsonc` or `@eslint/json` (if using ESLint version 9.6 or above)\n\n`npm install --save-dev eslint-plugin-jsonc`\n\nThen in your `.eslint` configuration file, extend the jsonc base config\n\n```json\n{\n \"extends\": [\"plugin:jsonc/base\"]\n}\n```\n\nor if you are using ESLint 9.6 or above\n\n```typescript\nmodule.exports = [\n {\n plugins: {\n json,\n \"no-secrets\": noSecret,\n },\n },\n {\n files: [\"**/*.json\"],\n language: \"json/json\",\n ....\n },\n];\n```\n\n#### 1.3.1. \u003ca name='IncludeJSONfileswithinflatconfigs'\u003e\u003c/a\u003eInclude JSON files with in \"flat configs\"\n\n_eslint.config.js_\n\n```js\nimport noSecrets from \"eslint-plugin-no-secrets\";\nimport jsoncExtend from \"eslint-plugin-jsonc\";\n\nexport default [\n ...jsoncExtend.configs[\"flat/recommended-with-jsonc\"],\n {\n languageOptions: { ecmaVersion: 6 },\n plugins: {\n \"no-secrets\": noSecrets,\n },\n rules: {\n \"no-secrets/no-secrets\": \"error\",\n },\n },\n];\n```\n\n## 2. \u003ca name='no-secrets'\u003e\u003c/a\u003e`no-secrets`\n\n`no-secrets` is a rule that does two things:\n\n1. Search for patterns that often contain sensitive information\n2. Measure cryptographic entropy to find potentially leaked secrets/passwords\n\nIt's modeled after early [truffleHog](https://github.com/dxa4481/truffleHog), but acts on ECMAscripts AST. This allows closer inspection into areas where secrets are commonly leaked like string templates or comments.\n\n### 2.1. \u003ca name='no-secretsexamples'\u003e\u003c/a\u003e`no-secrets` examples\n\nDecrease the tolerance for entropy\n\n```json\n{\n \"plugins\": [\"no-secrets\"],\n \"rules\": {\n \"no-secrets/no-secrets\": [\"error\", { \"tolerance\": 3.2 }]\n }\n}\n```\n\nAdd additional patterns to check for certain token formats. \nStandard patterns can be found [here](./regexes.js)\n\n```json\n{\n \"plugins\": [\"no-secrets\"],\n \"rules\": {\n \"no-secrets/no-secrets\": [\n \"error\",\n {\n \"additionalRegexes\": {\n \"Basic Auth\": \"Authorization: Basic [A-Za-z0-9+/=]*\"\n }\n }\n ]\n }\n}\n```\n\n### 2.2. \u003ca name='Whenitsreallynotasecret'\u003e\u003c/a\u003eWhen it's really not a secret\n\n#### 2.2.1. \u003ca name='Eitherdisableitwithacomment'\u003e\u003c/a\u003e Either disable it with a comment\n\n```javascript\n// Set of potential base64 characters\n// eslint-disable-next-line no-secrets/no-secrets\nconst BASE64_CHARS =\n \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\";\n```\n\nThis will tell future maintainers of the codebase that this suspicious string isn't an oversight\n\n#### 2.2.2. \u003ca name='usetheignoreContenttoignorecertaincontent'\u003e\u003c/a\u003e use the `ignoreContent` to ignore certain content\n\n```json\n{\n \"plugins\": [\"no-secrets\"],\n \"rules\": {\n \"no-secrets/no-secrets\": [\"error\", { \"ignoreContent\": \"^ABCD\" }]\n }\n}\n```\n\n#### 2.2.3. \u003ca name='UseignoreIdentifierstoignorecertainvariablepropertynames'\u003e\u003c/a\u003e Use `ignoreIdentifiers` to ignore certain variable/property names\n\n```json\n{\n \"plugins\": [\"no-secrets\"],\n \"rules\": {\n \"no-secrets/no-secrets\": [\n \"error\",\n { \"ignoreIdentifiers\": [\"BASE64_CHARS\"] }\n ]\n }\n}\n```\n\n#### 2.2.4. \u003ca name='UseadditionalDelimiterstofurthersplituptokens'\u003e\u003c/a\u003e Use `additionalDelimiters` to further split up tokens\n\nTokens will always be split up by whitespace within a string. However, sometimes words that are delimited by something else (e.g. dashes, periods, camelcase words). You can use `additionalDelimiters` to handle these cases.\n\nFor example, if you want to split words up by the character `.` and by camelcase, you could use this configuration:\n\n```json\n{\n \"plugins\": [\"no-secrets\"],\n \"rules\": {\n \"no-secrets/no-secrets\": [\n \"error\",\n { \"additionalDelimiters\": [\".\", \"(?=[A-Z][a-z])\"] }\n ]\n }\n}\n```\n\n### 2.3. \u003ca name='no-secretsOptions'\u003e\u003c/a\u003e`no-secrets` Options\n\n| Option | Description | Default | Type |\n| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------- |\n| tolerance | Minimum \"randomness\"/entropy allowed. Only strings **above** this threshold will be shown. | `4` | `number` |\n| additionalRegexes | Object of additional patterns to check. Key is check name and value is corresponding pattern | `{}` | {\\[regexCheckName:string]:string \\| RegExp} |\n| ignoreContent | Will ignore the _entire_ string if matched. Expects either a pattern or an array of patterns. This option takes precedent over `additionalRegexes` and the default regular expressions | `[]` | string \\| RegExp \\| (string\\|RegExp)[] |\n| ignoreModules | Ignores strings that are an argument in `import()` and `require()` or is the path in an `import` statement. | `true` | `boolean` |\n| ignoreIdentifiers | Ignores the values of properties and variables that match a pattern or an array of patterns. | `[]` | string \\| RegExp \\| (string\\|RegExp)[] |\n| ignoreCase | Ignores character case when calculating entropy. This could lead to some false negatives | `false` | `boolean` |\n| additionalDelimiters | In addition to splitting the string by whitespace, tokens will be further split by these delimiters | `[]` | (string\\|RegExp)[] |\n\n## 3. \u003ca name='no-pattern-match'\u003e\u003c/a\u003e`no-pattern-match`\n\nWhile this rule was originally made to take advantage of ESLint's AST, sometimes you may want to see if a pattern matches any text in a file, kinda like `grep`.\n\nFor example, if we configure as follows:\n\n```js\nimport noSecrets from \"eslint-plugin-no-secrets\";\n\n//Flat config\n\nexport default [\n {\n files: [\"**/*.js\"],\n plugins: {\n \"no-secrets\": noSecret,\n },\n rules: {\n \"no-secrets/no-pattern-match\": [\n \"error\",\n { patterns: { SecretJS: /const SECRET/, SecretJSON: /\\\"SECRET\\\"/ } },\n ],\n },\n },\n];\n```\n\nWe would match `const SECRET`, but not `var SECRET`. We would match keys that were called `\"SECRET\"` in JSON files if they were configured to be scanned.\n\n### 3.1. \u003ca name='no-pattern-matchoptions'\u003e\u003c/a\u003e`no-pattern-match` options\n\n| Option | Description | Default | Type |\n| -------- | ----------------------------------------------------------------- | ------- | ------------------------------------------- |\n| patterns | An object of patterns to check the text contents of files against | `{}` | {\\[regexCheckName:string]:string \\| RegExp} |\n\n## 4. \u003ca name='Acknowledgements'\u003e\u003c/a\u003eAcknowledgements\n\nHuge thanks to [truffleHog](https://github.com/dxa4481/truffleHog) for the inspiration, the regexes, and the measure of entropy.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickdeis%2Feslint-plugin-no-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnickdeis%2Feslint-plugin-no-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnickdeis%2Feslint-plugin-no-secrets/lists"}