{"id":13475294,"url":"https://github.com/secretlint/secretlint","last_synced_at":"2026-04-26T04:00:53.917Z","repository":{"id":37846998,"uuid":"239106765","full_name":"secretlint/secretlint","owner":"secretlint","description":"Pluggable linting tool to prevent committing credential.","archived":false,"fork":false,"pushed_at":"2026-04-25T14:54:38.000Z","size":36364,"stargazers_count":1378,"open_issues_count":28,"forks_count":49,"subscribers_count":7,"default_branch":"master","last_synced_at":"2026-04-25T15:12:14.174Z","etag":null,"topics":["credential","docker","git","lint","linting","nodejs","secret"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/secretlint.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":"azu"}},"created_at":"2020-02-08T10:13:35.000Z","updated_at":"2026-04-25T13:11:34.000Z","dependencies_parsed_at":"2022-07-14T07:00:38.830Z","dependency_job_id":"357732c0-bb10-4252-9b50-abe8ab1ef611","html_url":"https://github.com/secretlint/secretlint","commit_stats":{"total_commits":1185,"total_committers":34,"mean_commits":34.85294117647059,"dds":0.6143459915611814,"last_synced_commit":"2a3afce795ac9941bb9a73edfbd11e4db835c5a5"},"previous_names":[],"tags_count":121,"template":false,"template_full_name":null,"purl":"pkg:github/secretlint/secretlint","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretlint%2Fsecretlint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretlint%2Fsecretlint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretlint%2Fsecretlint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretlint%2Fsecretlint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/secretlint","download_url":"https://codeload.github.com/secretlint/secretlint/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/secretlint%2Fsecretlint/sbom","scorecard":{"id":397954,"data":{"date":"2025-08-11","repo":{"name":"github.com/secretlint/secretlint","commit":"9904887925735a94e1344fe5e7c58744e24f4d5a"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.9,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/25 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/secretlint/.github/SECURITY.md:1","Info: Found linked content: github.com/secretlint/.github/SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: github.com/secretlint/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'checks' permission set to 'read': .github/workflows/merge-gatekeeper.yml:16","Info: jobLevel 'statuses' permission set to 'read': .github/workflows/merge-gatekeeper.yml:17","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test-diff.yml:8","Warn: topLevel 'contents' permission set to 'write': .github/workflows/benchmark.yml:9","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql-analysis.yml:27","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:24","Info: topLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:25","Info: topLevel 'pull-requests' permission set to 'read': .github/workflows/codeql-analysis.yml:26","Info: topLevel 'contents' permission set to 'read': .github/workflows/comment-publish-artifact.yml:10","Warn: topLevel 'contents' permission set to 'write': .github/workflows/create-release-pr.yml:15","Warn: no topLevel permission defined: .github/workflows/merge-gatekeeper.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/publish-artifact.yml:11","Warn: topLevel 'packages' permission set to 'write': .github/workflows/publish-artifact.yml:12","Warn: topLevel 'contents' permission set to 'write': .github/workflows/publish.yml:11","Warn: no topLevel permission defined: .github/workflows/test-diff.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:9","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/publish-artifact.yml:48"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'master'","Info: 'force pushes' disabled on branch 'master'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'master'","Warn: branch 'master' does not require approvers","Warn: codeowners review is not required on branch 'master'","Warn: 'up-to-date branches' is disabled on branch 'master'","Info: status check found to merge onto on branch 'master'","Warn: PRs are not required to make changes on branch 'master'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v11.0.2 not signed: https://api.github.com/repos/secretlint/secretlint/releases/238910762","Warn: release artifact v11.0.1 not signed: https://api.github.com/repos/secretlint/secretlint/releases/238854446","Warn: release artifact v11.0.0 not signed: https://api.github.com/repos/secretlint/secretlint/releases/238854232","Warn: release artifact v10.2.2 not signed: https://api.github.com/repos/secretlint/secretlint/releases/237393403","Warn: release artifact v10.2.1 not signed: https://api.github.com/repos/secretlint/secretlint/releases/232840180","Warn: release artifact v11.0.2 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/238910762","Warn: release artifact v11.0.1 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/238854446","Warn: release artifact v11.0.0 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/238854232","Warn: release artifact v10.2.2 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/237393403","Warn: release artifact v10.2.1 does not have provenance: https://api.github.com/repos/secretlint/secretlint/releases/232840180"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: containerImage not pinned by hash: publish/docker/Dockerfile:1: pin your Docker image by updating node:22-alpine to node:22-alpine@sha256:1b2479dd35a99687d6638f5976fd235e26c5b37e8122f786fcd5fe231d63de5b","Warn: npmCommand not pinned by hash: publish/docker/Dockerfile:11-19","Info:  23 out of  23 GitHub-owned GitHubAction dependencies pinned","Info:  26 out of  26 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 22 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T19:27:52.040Z","repository_id":37846998,"created_at":"2025-08-18T19:27:52.041Z","updated_at":"2025-08-18T19:27:52.041Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32285283,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-25T18:29:39.964Z","status":"online","status_checked_at":"2026-04-26T02:00:05.962Z","response_time":129,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["credential","docker","git","lint","linting","nodejs","secret"],"created_at":"2024-07-31T16:01:19.152Z","updated_at":"2026-04-26T04:00:53.901Z","avatar_url":"https://github.com/secretlint.png","language":"TypeScript","funding_links":["https://github.com/sponsors/azu"],"categories":["TypeScript","Application Security",":blue_heart: Typescript"],"sub_categories":["Secrets detection",":hammer_and_wrench: Tools"],"readme":"# Secretlint [![Actions Status](https://github.com/secretlint/secretlint/workflows/test/badge.svg)](https://github.com/secretlint/secretlint/actions?query=workflow%3A\"test\")\n\n![Secretlint is that Pluggable linting tool to prevent committing credentials.](./docs/assets/SecretLintLP.png)\n\n\u003e Secretlint is a Pluggable linting tool to prevent committing credentials.\n\n## Features\n\n- **Scanner**: Find credentials in a project and report these\n- **Project** Friendly: Easy to set up your project and integrate CI services\n- **Pre-Commit Hook**: Prevent committing credential files\n- **Pluggable**: Allow creating custom rule and flexible configuration\n- **Documentation**: Describe the reason that rule detect it as secret\n\n## Quick Demo\n\nYou can view secretlint linting result on \u003chttps://secretlint.github.io/\u003e.\n\n## Quick Start\n\nYou can try to use Secretlint on your project at one command.\n\nIf you already have installed Docker:\n\n    docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint \"**/*\"\n\nIf you already have installed Node.js:\n\n    npx @secretlint/quick-start \"**/*\"\n\nAfter running, \nIf you got empty result and exit status is `0`, your project is secure.\nOtherwise, you got some error report, your project includes credential as raw data.\n\n![An example of secretlint results](./docs/assets/secretlint-report-example.png)\n\nYou want to get continuous security, Please see following installation guide and setup pre-commit hook and CI.\n\n## Installation\n\n### Using Docker\n\n**Prerequisites:** Require [Docker](https://docs.docker.com/install/)\n\nUse our [Docker container](https://hub.docker.com/r/secretlint/secretlint) to get an environment with Node.js and secretlint running as fast as you can download them.\n\nYou can check all files under the current directory with secretlint by following command: \n\n    docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint \"**/*\"\n\n[`secretlint/secretlint` docker container](https://hub.docker.com/r/secretlint/secretlint) work without configuration by design.\n\nThis Docker Image has built-in packages:\n\n- [@secretlint/secretlint-rule-preset-recommend](https://www.npmjs.com/package/@secretlint/secretlint-rule-preset-recommend) \n- [@secretlint/secretlint-rule-pattern](https://www.npmjs.com/package/@secretlint/secretlint-rule-pattern)\n- [@secretlint/secretlint-formatter-sarif](https://www.npmjs.com/package/@secretlint/secretlint-formatter-sarif)\n\nFor more details, please see [secretlint's Dockerfile](./publish/docker).\n\n### Using Node.js\n\n**Prerequisites:**  Require [Node.js 22+](https://nodejs.org/).\n\nSecretlint is written by JavaScript.\nYou can install Secretlint using [npm](https://www.npmjs.com/):\n\n```\nnpm install secretlint @secretlint/secretlint-rule-preset-recommend --save-dev\n```\n\nYou should then set up a configuration file:\n\n```\nnpx secretlint --init\n```\n\nFinally, you can run Secretlint on any file or directory like this:\n\n```\nnpx secretlint \"**/*\"\n```\n\n:memo: Secretlint supports [glob pattern](https://github.com/mrmlnc/fast-glob#basic-syntax) and glob pattern should be wrapped by a double quote.\n\nIt is also possible to install Secretlint globally using `npm install --global`. But, We do not recommend it, some rules may be broken globally.\n\n### Using Single-Executable Binary\n\n**Prerequisites:** None\n\nYou can use `secretlint` command without Node.js by using a single-executable binary.\n\n1. Download the latest binary from [Releases page](https://github.com/secretlint/secretlint/releases) \n2. Change the file permission to executable: `chmod +x ./secretlint`\n3. Run `./secretlint --init` to create a configuration file\n4. Run `./secretlint \"**/*\"` to lint your project\n\nFor more details, please see [publish/binary-compiler](./publish/binary-compiler) README.\n\n## Usage\n\n`secretlint --help` shows Usage.\n\n    Secretlint CLI that scan secret/credential data.\n    \n    Usage\n    $ secretlint [file|glob*]\n    \n    Note\n    supported glob syntax is based on microglob\n    https://github.com/micromatch/micromatch#matching-features\n    \n    Options\n    --init             setup config file. Create .secretlintrc.json file from your package.json\n    --format           [String] formatter name. Default: \"stylish\". Available Formatter: checkstyle, compact, github, jslint-xml, junit, pretty-error, stylish, tap, unix, json, mask-result, table\n    --output           [path:String] output file path that is written of reported result.\n    --no-color         disable ANSI-color of output.\n    --no-terminalLink  disable terminalLink of output.\n    --no-maskSecrets   disable masking of secret values; secrets are masked by default.\n    --secretlintrc     [path:String] path to .secretlintrc config file. Default: .secretlintrc.*\n    --secretlintignore [path:String] path to .secretlintignore file. Default: .secretlintignore\n    --stdinFileName    [String] filename to process STDIN content. Some rules depend on filename to check content.\n    \n    Options for Developer\n    --profile          Enable performance profile.\n    --secretlintrcJSON [String] a JSON string of .secretlintrc. use JSON string instead of rc file.\n    \n    Experimental Options\n    --locale            [String] locale tag for translating message. Default: en\n    \n    Examples\n    $ secretlint ./README.md\n    # glob pattern should be wrapped with double quote\n    $ secretlint \"**/*\"\n    $ secretlint \"source/**/*.ini\"\n    # output masked result to file\n    $ secretlint .zsh_history --format=mask-result --output=.zsh_history\n    # lint STDIN content instead of file\n    $ echo \"SECRET CONTENT\" | secretlint --stdinFileName=secret.txt\n    \n    Exit Status\n    Secretlint exits with the following values:\n    \n        - 0:\n          - Linting succeeded, no errors found.\n          - Found lint error but --output is specified.\n        - 1:\n          - Linting failed, errors found.\n        - 2:\n          - Unexpected error occurred, fatal error.\n\n\n## Configuration\n\nSecretlint has a configuration file `.secretlintrc.{json,yml,js}`.\n\n- Document: [Configuring Secretlint](./docs/configuration.md)\n\nAfter running `secretlint --init`, you'll have a `.secretlintrc.json` file in your directory.\n\nIn it, you'll see some rules configured like this:\n\n```json\n{\n  \"rules\": [\n    {\n      \"id\": \"@secretlint/secretlint-rule-preset-recommend\"\n    }\n  ]\n}\n```\n\nThe `id` property is the name of secretlint rule package. \n\nSecretlint does not have built-in rule.\nYou want to add some rule and You should **install** the package and **add** the rule to `.secretlintrc` file.\n\nEach rule has same configuration pattern:\n\n- `options`: Option definition for the rule. For more details, see each rule documentation\n- `disabled`: If `disabled` is `true`, disable the rule\n- `allowMessageIds`: `allowMessageIds` is an array of message id that you want to suppress error report\n    - message id is defined in each rule and please see the rule documentation\n\n### Example: `options`\n\nFor example, `@secretlint/secretlint-rule-example` has `allows` in `options`.\nThis `allows` option define a list of [RegExp-like String](https://github.com/textlint/regexp-string-matcher#regexp-like-string) that you want to ignore.\n\n```json\n{\n  \"rules\": [\n    {\n      \"id\": \"@secretlint/secretlint-rule-example\",\n      \"options\": {\n        \"allows\": [\n          \"/dummy_secret/i\"\n        ]\n      }\n    }\n  ]\n}\n```\n\nWhen you use a preset like `@secretlint/secretlint-rule-preset-recommend`, you need to put the option in `rules`.\n\nFor example, an option for `@secretlint/secretlint-rule-preset-recommend \u003e @secretlint/secretlint-rule-aws` \n\n```json5\n{\n  \"rules\": [\n    {\n      \"id\": \"@secretlint/secretlint-rule-preset-recommend\",\n      \"rules\": [\n        {\n          \"id\": \"@secretlint/secretlint-rule-aws\",\n            \"options\": {\n              \"allows\": [\n\t            // it will be ignored\n                \"xxxx-xxxx-xxxx-xxxx-xxxx\"\n              ]\n            }\n        }\n      ]\n    }\n  ]\n}\n```\n\n### Example: `allowMessageIds`\n\nFor example, you have got following error report by run `secretlint`:\n\n```\n$ secretlint \"**/*\"\n\nSECRET.txt\n  1:8  error  [EXAMPLE_MESSAGE] found secret: SECRET  @secretlint/secretlint-rule-example\n\n✖ 1 problem (1 error, 0 warnings)\n```\n\nThis error's message id is `EXAMPLE_MESSAGE` in `@secretlint/secretlint-rule-example`.\n\nIf you want to ignore this error, please use `allowMessageIds`.\n\n```json\n{\n  \"rules\": [\n    {\n      \"id\": \"@secretlint/secretlint-rule-example\",\n      \"allowMessageIds\": [\"EXAMPLE_MESSAGE\"]\n    }\n  ]\n}\n```\n\nWhen you use a preset like `@secretlint/secretlint-rule-preset-recommend`, you need to put the option in `rules`.\n\nFor example, If you want to ignore \"AWSAccountID\" and \"AWSAccessKeyID\" of \"@secretlint/secretlint-rule-aws\", you can write following.\n\n```json5\n{\n  \"rules\": [\n    {\n      \"id\": \"@secretlint/secretlint-rule-preset-recommend\",\n      \"rules\": [\n        {\n          \"id\": \"@secretlint/secretlint-rule-aws\",\n          \"allowMessageIds\": [\"AWSAccountID\", \"AWSAccessKeyID\"]\n        }\n      ]\n    }\n  ]\n}\n```\n\n### Ignoring by comment\n\n[@secretlint/secretlint-rule-filter-comments](https://www.npmjs.com/package/@secretlint/secretlint-rule-filter-comments) supports ignoring comment like `secretlint-disable`.\n\n```\n// secretlint-disable\n\nTHIS IS SECRET, BUT IT WILL BE IGNORED\n\n// secretlint-enable\n```\n\nFor more details, please see [Configuring Secretlint](./docs/configuration.md).\n\n## Use Cases\n\n### Mask secrets in lint error message (Default behavior)\n\nSecretlint masks secrets in lint error messages by default. This is useful to prevent accidental secret exposure in CI logs, terminal output, or when using AI agent tools.\n\n```bash\n# Secrets are masked by default\n$ secretlint \"**/*\"\n```\n\nTo show actual secret values in the output, use `--no-maskSecrets`:\n\n```bash\n$ secretlint --no-maskSecrets \"**/*\"\n```\n\n### Fix secrets\n\nSecretlint can not fix the secrets automatically.\nHowever, It is useful that `--format=mask-result` mask the secrets of input file.\n\nFor example, you can mask the secrets of `.zsh_history` file and overwrite it.\n\n```bash\n$ secretlint .zsh_history --format=mask-result --output=.zsh_history\n```\n\n## Rule Packages\n\nSecretlint rules has been implemented as separated modules.\n\n- [@secretlint/secretlint-rule-npm](./packages/@secretlint/secretlint-rule-npm)\n- [@secretlint/secretlint-rule-aws](./packages/@secretlint/secretlint-rule-aws)\n- [@secretlint/secretlint-rule-gcp](./packages/@secretlint/secretlint-rule-gcp)\n- [@secretlint/secretlint-rule-github](./packages/@secretlint/secretlint-rule-github)\n- [@secretlint/secretlint-rule-gitlab](./packages/%40secretlint/secretlint-rule-gitlab)\n- [@secretlint/secretlint-rule-privatekey](./packages/@secretlint/secretlint-rule-privatekey)\n- [@secretlint/secretlint-rule-basicauth](./packages/@secretlint/secretlint-rule-basicauth)\n- [@secretlint/secretlint-rule-slack](./packages/@secretlint/secretlint-rule-slack)\n- [@secretlint/secretlint-rule-sendgrid](./packages/%40secretlint/secretlint-rule-sendgrid)\n- [@secretlint/secretlint-rule-shopify](./packages/%40secretlint/secretlint-rule-shopify)\n- [@secretlint/secretlint-rule-openai](./packages/%40secretlint/secretlint-rule-openai)\n- [@secretlint/secretlint-rule-anthropic](./packages/%40secretlint/secretlint-rule-anthropic)\n- [@secretlint/secretlint-rule-grafana](./packages/%40secretlint/secretlint-rule-grafana)\n- [@secretlint/secretlint-rule-groq](./packages/%40secretlint/secretlint-rule-groq)\n- [@secretlint/secretlint-rule-linear](./packages/%40secretlint/secretlint-rule-linear)\n- [@secretlint/secretlint-rule-1password](./packages/%40secretlint/secretlint-rule-1password)\n- [@secretlint/secretlint-rule-database-connection-string](./packages/%40secretlint/secretlint-rule-database-connection-string)\n- [@secretlint/secretlint-rule-databricks](./packages/%40secretlint/secretlint-rule-databricks)\n- [@secretlint/secretlint-rule-hashicorp-vault](./packages/%40secretlint/secretlint-rule-hashicorp-vault)\n- [@secretlint/secretlint-rule-vercel](./packages/%40secretlint/secretlint-rule-vercel)\n- [@secretlint/secretlint-rule-azure](./packages/%40secretlint/secretlint-rule-azure)\n- [@secretlint/secretlint-rule-docker](./packages/%40secretlint/secretlint-rule-docker)\n- [@secretlint/secretlint-rule-figma](./packages/%40secretlint/secretlint-rule-figma)\n- [@secretlint/secretlint-rule-huggingface](./packages/%40secretlint/secretlint-rule-huggingface)\n- [@secretlint/secretlint-rule-notion](./packages/%40secretlint/secretlint-rule-notion)\n- [@secretlint/secretlint-rule-secp256k1-privatekey](./packages/@secretlint/secretlint-rule-secp256k1-privatekey)\n- [@secretlint/secretlint-rule-no-k8s-kind-secret](./packages/@secretlint/secretlint-rule-no-k8s-kind-secret)\n- [@secretlint/secretlint-rule-pattern](./packages/@secretlint/secretlint-rule-pattern)\n- [@secretlint/secretlint-rule-no-homedir](./packages/@secretlint/secretlint-rule-no-homedir)\n- [@secretlint/secretlint-rule-no-dotenv](./packages/%40secretlint/secretlint-rule-no-dotenv)\n- [@secretlint/secretlint-rule-filter-comments](./packages/%40secretlint/secretlint-rule-filter-comments)\n\n\nAlso, Secretlint provides rule preset that includes recommended rule set.\n\n- [@secretlint/secretlint-rule-preset-recommend](./packages/@secretlint/secretlint-rule-preset-recommend)\n    - Recommended rule set\n\n## Custom Rules\n\nYou can create own secretlint rule.\n\nYou want to get a secretlint rule suitable for your project and you can create it!\nA secretlint rule is a just npm package.\n\nIf you want to know creating secretlint rule, please see [docs/secretlint-rule.md](docs/secretlint-rule.md).\n\n## Integrations\n\n### Pre-commit Hook per project\n\nYou can use Secretlint with some pre-commit tool.\nThis can prevent to commit secret data by linting with Secretlint.\n\nApplying secretlint to the project and improve security on team developing.\n\n#### [Husky](https://github.com/typicode/husky) + [lint-staged](https://github.com/okonet/lint-staged)\n\n**Use Case:** If you want to introduce secretlint to Node.js project, this combination is useful.\n\nInstall [Husky](https://github.com/typicode/husky) and [lint-staged](https://github.com/okonet/lint-staged):\n\n```\nnpx husky-init \u0026\u0026 npm install lint-staged --save-dev\n```\n\nAdd hooks to `.husky/pre-commit`:\n\n```\nnpx husky add .husky/pre-commit \"npx --no-install lint-staged\"\n```\n\nEdit `package.json`:\n\n```json5\n{\n  // add \"lint-staged\" field\n  \"lint-staged\": {\n    \"*\": [\n      \"secretlint --no-glob\"\n    ]\n  }\n}\n```\n\n\u003e **Note:** The `--no-glob` flag is required because lint-staged passes literal file paths that may contain glob special characters (e.g., `(group)` or `[param]` routing patterns used by Next.js, SvelteKit, etc.).\n\nThis means that check each staged file by Secretlint before commit. \n\n#### [pre-commit](https://github.com/pre-commit/pre-commit)\n\n**Use Case:** You have a project that is developing with Docker. Easy to integrate to secretlint.\n\nInstall [pre-commit](https://pre-commit.com/#install)\n\n    # macOS. see also https://pre-commit.com/#install\n    brew install pre-commit\n\nCreate `.pre-commit-config.yaml`:\n\n```\n-   repo: local\n    hooks:\n    -   id: secretlint\n        name: secretlint\n        language: docker_image\n        entry: secretlint/secretlint:latest secretlint\n```\n\nExample setup repository:\n\n- https://github.com/azu/secretlint-pre-commit-example\n\n#### Bash Script\n\nAlternately you can save this script as `.git/hooks/pre-commit` and give it execute permission(`chmod +x .git/hooks/pre-commit`):\n\n```bash\n#!/bin/sh\nFILES=$(git diff --cached --name-only --diff-filter=ACMR | sed 's| |\\\\ |g')\n[ -z \"$FILES\" ] \u0026\u0026 exit 0\n\n# Secretlint all selected files\necho \"$FILES\" | xargs ./node_modules/.bin/secretlint --no-glob\n# If you using docker\n# echo \"$FILES\" | xargs docker run -v `pwd`:`pwd` -w `pwd` --rm secretlint/secretlint secretlint\nRET=$?\nif [ $RET -eq 0 ] ;then\n    exit 0\nelse\n    exit 1\nfi\n```\n\n### Pre-commit Hook globally\n\n**Use Case:** If you want to check any project by secretlint, you can use global git hooks.\n\n[Git 2.9+](https://github.blog/2016-06-13-git-2-9-has-been-released/) supports [`core.hooksPath`](https://git-scm.com/docs/githooks).\nIt allow to integrate secretlint globally.\n\nWe have created an example git hooks project using secretlint + Docker.\n\n- [secretlint/git-hooks](https://github.com/secretlint/git-hooks)\n    - Requirement: Docker\n\nYou can set up by following steps:\n\n```shell script\n# clone this repository\ngit clone https://github.com/secretlint/git-hooks git-hooks\ncd git-hooks\n# integrate secretlint to git hook globally\ngit config --global core.hooksPath $(pwd)/hooks\n```\n\nAfter setup of `core.hooksPath`, secretlint check any file before you commit it.  \n\nFor more details, see [secretlint/git-hooks](https://github.com/secretlint/git-hooks) project.\n\nNode.js version can also be used for global git hook.\nIf you are interested in it, please see [@azu/git-hooks](https://github.com/azu/git-hooks).\n\n### CI\n\n#### GitHub Actions\n\nIf you already set secretlint [Using Node.js](#using-nodejs), you can run secretlint with your configuration on [GitHub Actions](https://github.co.jp/features/actions).\n\nPut `.github/workflows/secretlint.yml` in your repository.\n\n```yaml\nname: Secretlint\non: [push, pull_request]\npermissions:\n  contents: read\njobs:\n  test:\n    name: \"Secretlint\"\n    runs-on: ubuntu-latest\n    steps:\n      - name: checkout\n        uses: actions/checkout@v3\n      - name: setup Node.js\n        uses: actions/setup-node@v3\n        with:\n          node-version: 22\n      - name: Install\n        run: npm ci\n      - name: Lint with Secretlint\n        run: npx secretlint \"**/*\"\n```\n\n##### `--format github` for Pull Request annotations\n\nYou can use `--format github` to show lint errors as annotations on Pull Request files.\nThis formatter outputs [GitHub Actions workflow commands](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions) that display error annotations directly on the changed files in your Pull Request.\n\n```yaml\n      - name: Lint with Secretlint\n        run: npx secretlint --format github \"**/*\"\n```\n\nThis configuration integrates Pull Request review annotations.\n\n![github-actions.png](./docs/assets/github-actions.png)\n\n- Example Repository: https://github.com/secretlint/secretlint-github-actions-example\n- Example Pull Request: https://github.com/secretlint/secretlint-github-actions-example/pull/1/files\n\nIf you want to only check diff files, please see following example:\n\n```yaml\nname: test-diff\non:\n  push:\n  pull_request:\njobs:\n  test-diff:\n    permissions:\n      contents: read\n    name: \"Run secretlint to diff files\"\n    runs-on: ubuntu-latest\n    steps:\n      - name: checkout\n        uses: actions/checkout@v4\n        with:\n          # fetch history to get all changed files on push or pull_request event\n          fetch-depth: 0\n      - name: Get changed files\n        id: changed-files\n        uses: tj-actions/changed-files@v44\n        with:\n          quotepath: \"false\"\n      - name: setup Node ${{ matrix.node-version }}\n        uses: actions/setup-node@v4\n        with:\n          node-version: 22\n      - name: Show changed files\n        run: echo \"${{ steps.changed-files.outputs.all_changed_files }}\"\n      - name: Install\n        if: steps.changed-files.outputs.any_changed == 'true'\n        run: npm ci\n      - name: Run secretlint\n        if: steps.changed-files.outputs.any_changed == 'true'\n        run: npx secretlint --no-glob ${{ steps.changed-files.outputs.all_changed_files }}\n```\n\n#### Mega-Linter\n\n[Mega-Linter](https://nvuillam.github.io/mega-linter/) is a linters aggregator natively compliant with any CI tool, embedding [80+ linting apps](https://nvuillam.github.io/mega-linter/supported-linters/), including [**secretlint**](https://nvuillam.github.io/mega-linter/descriptors/credentials_secretlint/) by default.\n\nYou can [install](https://nvuillam.github.io/mega-linter/installation/) it on any repository project using the following command (Node.js must be installed previously)\n\n```shell\nnpx mega-linter-runner --install\n```\n\n![megalinter-secretlint-failure.png](./docs/assets/megalinter-secretlint-failure.png)\n\n### Browser\n\n[Secretlint WebExtension](https://github.com/secretlint/webextension) works on your browser.\n\n- Firefox: \u003chttps://addons.mozilla.org/ja/firefox/addon/secretlint/\u003e\n- Chrome: \u003chttps://chrome.google.com/webstore/detail/secretlint/hidpojbnemkajlnibhmeilpgoddkjjkf\u003e\n\nThis web extension aims to find credentials that are included in your request/response.\n\n![Secretlint WebExtension](https://raw.githubusercontent.com/secretlint/webextension/main/docs/screenshot.png)\n\nSecretlint WebExtension integrates to DevTools in Chrome/Firefox.\nThis extension helps web developers to notice exposed credentials.\n\n### macOS\n\n[SecureClipboard](https://github.com/secretlint/secure-clipboard) is a macOS menu bar application that uses Secretlint to detect and mask secrets in your clipboard before they are pasted elsewhere.\n\n### Others\n\n#### SARIF format support\n\nPlease use [@secretlint/secretlint-formatter-sarif](./packages/@secretlint/secretlint-formatter-sarif).\n\n```\nnpm install @secretlint/secretlint-formatter-sarif --dev\nsecretlint --format @secretlint/secretlint-formatter-sarif \"**/*\"\n```\n\n## Semantic Versioning Policy\n\nSecretlint project follows [Semantic Versioning](https://semver.org/ \"Semantic Versioning\")([secretlint-rule-preset-canary](packages/@secretlint/secretlint-rule-preset-canary) is an exception).\n\n- Patch release (intended to not break your lint build)\n    - A bug fix to the CLI or core (including formatters).\n    - Improvements to documentation.\n    - Non-user-facing changes such as refactoring.\n    - Re-releasing after a failed release (i.e., publishing a release that doesn't work for anyone).\n- Minor release (might break your lint build)\n    - A new option.\n    - An existing rule is deprecated.\n    - A new CLI capability is created.\n    - New public API are added (new classes, new methods, new arguments to existing methods, etc.).\n        - It might break TypeScript definitions\n    - A new formatter is created.\n- Major release (break your lint build)\n    - A new option to an existing rule that results in secretlint reporting more errors by default.\n    - An existing formatter is removed.\n    - Add new default rule to rule preset.\n    - Part of the public API is removed or changed in an incompatible way.\n\n## Motivation\n\n- [git-secrets](https://github.com/awslabs/git-secrets) is useful, but it is hard to setup per project.\n\t- Its main use-case is global installation\n\t- Secretlint wants to install for a project and customize setting per project.\n- [repo-security-scanner](https://github.com/UKHomeOffice/repo-security-scanner), [Gitleaks](https://github.com/zricethezav/gitleaks) and [truffleHog](https://github.com/dxa4481/truffleHog) is good scan tools\n\t- Secretlint needs flexible customization that includes ignoring definitions, custom rules.\n- [detect-secrets](https://github.com/Yelp/detect-secrets) is similar tools, but it adopts opt-out approach\n    - Secretlint adopts opt-in approach  \n    - We also need to custom rules by user\n\t\t- See [Bring-your own-plugins (BYOP), via --custom-plugins option by KevinHock · Pull Request #255 · Yelp/detect-secrets](https://github.com/Yelp/detect-secrets/pull/255)\n- GitHub support [secret scanning](https://docs.github.com/en/code-security/secret-security/about-secret-scanning), but it only works after commit [~~push~~](https://docs.github.com/en/code-security/secret-scanning/push-protection-for-users)\n    - Secretlint works on your local machine, Secretlint can prevent to commit\n\n## Philosophy\n\n- Reduce false-positive of linting\n- Integration to developing workflow\n- Empower Users to Contribute\n\n### Opt-in instead of Opt-out\n\nSecretlint adopt opt-in approach.\n\nIn our experience, linting tools that report various errors by default are difficult to use.\nOpt-in approach helps to introduce Secretlint incrementally.\n\nIt will help to reduce false-positive by configuration.\n\n### Rule as Documentation\n\nWe think a rule as a documentation.\nSo, Each rule should have reasonable documentation.\n\nWe need to describe why this file is error.\nA rule that has no documentation is just opinionated.\n\nDescribe the reason of error and then it will lead to reduce false-positive error.\n\nAlso, Secretlint CLI support hyperlink in Terminal.\nIt means that you can jump to rule documentation from lint error message directly.\n\n![clickable link in output](./docs/assets/docsUrl.png)\n\n\u003e Example on iTerm 2: Cmd + Click error's messageId and open [AWSSecretAccessKey](https://github.com/secretlint/secretlint/blob/master/packages/%40secretlint/secretlint-rule-aws/README.md#awssecretaccesskey) on your browser. \n\nIf you want to know support terminal, please see [Hyperlinks in Terminal Emulators](https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda). \n\nAlso, Welcome to Contribution about secretlint documentation!\n\n### Why Node.js?\n\n- Package Manager\n\t- Require package manager to realize flexible pluggable system\n\t- Node.js has npm and pnpm as package manager\n\t- Package manager help to install custom plugin/rule by user\n- Exist Reference Implementation\n\t- Node.js already has pluggable linting tools like ESLint, textlint, stylelint etc\n\t- So Node.js users are familiar with pluggable linting tools\n\t- Previously, I created textlint with the same approach, so I am familiar with Node.js\n- Users\n    - JavaScript is a popular language\n    - It empowers users to contribute\n    - Users can create own rule by own hand\n\nOf course, secretlint also support [Docker](https://hub.docker.com/r/secretlint/secretlint).\n\n## Changelog\n\nSee [Releases page](https://github.com/secretlint/secretlint/releases).\n\n## Contributing\n\nPull requests and stars are always welcome.\n\nFor bugs and feature requests, [please create an issue](https://github.com/secretlint/secretlint/issues).\n\nSee also, [CONTRIBUTING.md](./CONTRIBUTING.md) and [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md)\n\n### Add New Rule\n\nYou can use `pnpm run gen:rule` command to create new rule.\n\n```shell script\npnpm run gen:rule\n```\n\nFor more details, please see [CONTRIBUTING.md](./CONTRIBUTING.md)\n\n### Benchmark\n\nBenchmark workflow is run on every commit.\n\n- Benchmark: https://secretlint.github.io/secretlint/dev/bench/\n\n## Author\n\n- [github/azu](https://github.com/azu)\n- [twitter/azu_re](https://twitter.com/azu_re)\n\n## License\n\nMIT © azu\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretlint%2Fsecretlint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecretlint%2Fsecretlint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecretlint%2Fsecretlint/lists"}