https://github.com/cipherscan/cipherscan-vscode

CipherScan-VSCode is a vscode extension that scans your workspace for exposed secrets like API keys, tokens etc. ensuring security with customizable patterns, real-time feedback, and detailed reports before pushing to Git.
https://github.com/cipherscan/cipherscan-vscode

exposed-credentials git github hardcoded-secrets realtime report-generator scanner secrets-detection secure-coding vscode-extension

Last synced: 5 days ago
JSON representation

CipherScan-VSCode is a vscode extension that scans your workspace for exposed secrets like API keys, tokens etc. ensuring security with customizable patterns, real-time feedback, and detailed reports before pushing to Git.

• Host: GitHub
• URL: https://github.com/cipherscan/cipherscan-vscode
• Owner: cipherscan
• License: apache-2.0
• Created: 2024-12-04T20:37:01.000Z (29 days ago)
• Default Branch: master
• Last Pushed: 2024-12-17T06:11:46.000Z (17 days ago)
• Last Synced: 2024-12-17T07:24:54.218Z (17 days ago)
• Topics: exposed-credentials, git, github, hardcoded-secrets, realtime, report-generator, scanner, secrets-detection, secure-coding, vscode-extension
• Language: TypeScript
• Homepage: https://github.com/cipherscan/cipherscan-vscode
• Size: 1.8 MB
• Stars: 2
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# CipherScan for VSCode

If CipherScan helps you, consider giving us a ⭐ on **[GitHub](https://github.com/cipherscan/cipherscan-vscode)**! Your support encourages future development and helps others discover this tool!

![CipherScan Logo](src/assets/img/cipherscan-logo128.png)

**CipherScan** is a Visual Studio Code extension that easily scans your project for sensitive information such as API keys, passwords, tokens, and more. You can manually trigger scans to help secure your codebase by identifying potential secrets quickly.

## 🚀 Features

1. 🔍 **Manual Scan Control**

   - Scan your entire workspace or specific folders for sensitive information with a single click on the **Find Exposed Secrets** button in the VSCode status bar. 

   - Scans only run when triggered, giving you control over scan timing without disrupting your workflow.

2. 🧩 **Custom Pattern Detection**  

   - Define custom regex patterns to detect secrets like **GitHub tokens**, **AWS keys**, and more, tailored to your specific needs.

3. 📄 **Comprehensive Logs**  

   - All scans are logged in the `.cipherscan` folder, including:

     

     - **.cipherscan-secrets.log**: Detailed scan logs with start time, files scanned, and detected secrets in workspace.

     - **.cipherscan-report.html**: A visually rich HTML report summarizing detected secrets, severity, and file locations.

   - By default, `.cipherscan` is added to `.gitignore` to prevent accidental commits)

4. ⏱️ **Real-Time Feedback**  

   - Get time-stamped updates during the scan, including the number of files scanned and any detected secrets.

5. 🔐 **Pre-Commit Scan Reminder**  

   - When committing changes, CipherScan reminds you to run a quick scan to check for any exposed secrets before pushing.

###

## 🛠️ Installation & Setup

### 1. Install the Extension

   - Open **VSCode**, go to the **Extensions Marketplace**, and search for **CipherScan**.

   - Click **Install** to add the extension.

### 2. Manual Installation from `.vsix` File (Alternative)

   - Visit the [CipherScan GitHub repository](https://github.com/cipherscan/cipherscan-vscode) and download the latest `.vsix` package from the **Releases** section or from the ***/dist** folder.

   - In **VSCode**, open the **Command Palette** (`Ctrl+Shift+P`), search for **"Install from VSIX"**, and select the downloaded file.

### 3. Run a Scan

   - After installation, click the **Find Exposed Secrets** button in the **status bar** to start scanning your workspace for secrets.

   - You will be prompted to choose where to scan:

      - **Entire Workspace**: Scans all files within your workspace.

      - **Specific Folder**: Allows you to select a specific folder within the workspace to scan.

   - Select the desired option to start the scan.

### 4. Review and Fix Detected Secrets

   - The **webview** will display all detected secrets, including the **file path** and **line number**.

   - Click the line number to navigate directly to the location of the secret and fix it.

   - If a **false positive** is detected, click **Ignore** in the webview to exclude it from the report and logs.

   - If everything looks good, click **Continue** to finalize the scan.

### 5. View Scan Results

   - After completing the scan, go to the `.cipherscan` folder:

     

     - **.cipherscan-secrets.log**: Detailed log of the scan.

     - **.cipherscan-report.html**: A summary report of detected secrets and their severity.

###

## 🔧 Configuration

You can customize how CipherScan works through your VSCode settings.

### Custom Patterns

To detect custom secrets, you can configure your own regex patterns. Add these patterns in your workspace settings (`settings.json`):

```json

"cipherscan.customPatterns": [

    {

        "name": "Custom API Key",

        "regex": "custom_api_[a-zA-Z0-9]{32}",

        "severity": "High"

    },

    {

        "name": "Internal Token",

        "regex": "int-token-[0-9]{16}",

        "severity": "Medium"

    }

]

```

- **name**: The name you want to give to the pattern (e.g., "Custom API Key").

- **regex**: The regex pattern used to match the secret you want to detect.

- **severity**: The severity level for this secret (e.g., `Low`, `Medium`, `High`).

You can add as many custom patterns as needed to suit your project’s requirements.

![CipherScan Settings JSON](src/assets/img/cipherscan-settings-json.png)

### Exclude Files from Scanning

If you want to exclude certain files or folders from being scanned, you can specify them in your workspace settings.

```

"cipherscan.excludeFiles": [

    "**/node_modules", 

    "**/dist", 

    "**/*.min.js", 

    "**/package-lock.json", 

    ".git", 

    ".vscode", 

    ".cipherscan"

]

```

This helps prevent unnecessary scans of files that aren’t relevant to secret detection, such as build files or dependencies.

![CipherScan Settings UI](src/assets/img/cipherscan-settings-ui.png)

### Git Ignore Configuration

By default, CipherScan will ask if you want to add the `.cipherscan` folder to `.gitignore`. This is recommended to avoid committing sensitive log or report files by prompting user to run a scan before Git push. You can disable this behavior through the configuration.

```

"cipherscan.addToGitIgnore": false

```

###

## 📝 **Log & Report Generation Example**

When you run a scan, **CipherScan** generates detailed logs and a comprehensive report to track the scanning process and provide insight into the results.

### **Logs:**  

Logs are saved in the `.cipherscan-secrets.log` file located in the `.cipherscan` folder. This log file contains step-by-step details about the scan, including timestamps, files scanned, and any secrets detected. Below is an example of a log entry:

```

[2024-11-24T11:35:25.701Z] [INFO] ---------------------------- Workspace Scan started ----------------------------

[2024-11-24T11:35:25.767Z] [INFO] Found 1 files to scan.

[2024-11-24T11:35:25.770Z] [WARNING] Secret detected: GitHub Token at line 7 in /home/user/sample-project/test.js

[2024-11-24T11:35:25.772Z] [INFO] --------------- Workspace Scan completed: Exposed secrets found ---------------

```

- **Scan started**: Timestamp when the scan was initiated.

- **Found X files to scan**: Number of files discovered and scanned in the workspace.

- **Secret detected**: The detected secret (e.g., GitHub Token) along with the specific file and line number where it was found.

- **Scan completed**: Indicates the completion of the scan, whether secrets were found or not.

![CipherScan Logfile](src/assets/img/cipherscan-logfile.png)

### **Report:**  

In addition to the log, CipherScan generates a **.cipherscan-report.html** file. This HTML report provides a visually rich summary of the scan, displaying the detected secrets, their severity, risk levels, and the specific locations (file and line number) where they were found.

- **Visual Summary**: The report highlights detected secrets in a user-friendly format with color-coded risk levels.

- **Detailed Breakdown**: Shows file paths, line numbers, and severity of each detected secret.

![CipherScan Report](src/assets/img/cipherscan-report.png)

###

## ⚠️ Handling False Positives

If **CipherScan** detects secrets that are false positives (e.g., test API keys, mock data, or other non-sensitive information), you can easily dismiss them. Simply click the **"IGNORE"** button in the webview to mark them as false positives. This action ensures that they are excluded from the scan results, logs, and final reports.

By ignoring false positives, you can maintain clean and accurate logs, ensuring that only actual security threats are flagged. This feature helps streamline the scan process and improves the accuracy of your reports.

![CipherScan Webview](src/assets/img/cipherscan-webview.png)

###

## 📄 License

This project is licensed under the Apache License, Version 2.0 - see the [LICENSE](LICENSE) file for details.

###

## 🤝 Contributing

We welcome contributions! If you would like to contribute to **CipherScan**, please follow these steps:

1. **Fork the Repository**: Click the "Fork" button at the top-right of the repository page on GitHub.

2. **Clone Your Fork**:  

   Clone your forked repository to your local machine:

   ```bash

   git clone https://github.com//cipherscan-vscode.git

   ```

3. **Create a New Branch**:  

   Always create a new branch for your changes to keep your work organized and separate from the main branch:

   ```bash

   git checkout -b your-branch-name

   ```

4. **Make Your Changes**:

   Implement your changes, whether it's fixing a bug, adding a feature, or improving the documentation.

5. **Commit Your Changes**:

   Once you’ve made your changes, stage and commit them with a descriptive message:

   ```bash

   git add .

   git commit -m "Brief description of the changes"

   ```

6. **Push Your Changes**:

   Push your branch to your forked repository on GitHub:

   ```bash

   git push origin your-branch-name

   ```

7. **Submit a Pull Request (PR)**:

   1. Go to the original CipherScan repository on GitHub.

   2. Click on New Pull Request.

   3. Select your branch as the source and the main branch of the original repository as the destination.

   4. Provide a clear description of your changes in the PR description.

   5. Click Create Pull Request.

8. **Address Feedback**:

   A maintainer will review your pull request. Be prepared to:

   - Make any requested changes.

   - Engage in discussion about your PR if needed.

   - Push additional commits to the same branch to update the PR.

   Once the maintainer approves your changes, your contribution will be merged!

9. **Sync Your Fork** (Optional but Recommended):

   To keep your fork updated with the latest changes from the main repository, add the original repository as a remote:

   ```bash

   git remote add upstream https://github.com/cipherscan/cipherscan-vscode.git

   ```

   Fetch and merge the latest changes:

   ```bash

   git fetch upstream

   git merge upstream/main

   ```

For more details on contributing, refer to the [CONTRIBUTING.md](CONTRIBUTING.md) file.

Thank you for your contribution!

## 🔗 Contact

For any questions or issues, please open an issue in the GitHub repository.