2.1.1 • Published 3 months ago

detect-secrets-js v2.1.1

Weekly downloads
-
License
MIT
Repository
github
Last release
3 months ago

detect-secrets-js

A JavaScript implementation of Yelp's detect-secrets tool, with no Python dependency required.

This package provides the same functionality as Yelp's detect-secrets but implemented in JavaScript using WebAssembly technology, eliminating the need for Python installation.

Features

  • No Python Required: Uses WebAssembly to run the scanning code directly in Node.js
  • Easy Installation: Simple npm installation with no external dependencies
  • Fast Scanning: Efficiently scans files and directories for secrets
  • Customizable: Configure exclusions, scan specific directories, and more
  • False Positive Detection: Identifies likely false positives to reduce noise
  • Missed Secret Detection: Optional detection of patterns that might be missed by the main scanner
  • Compatible API: Similar interface to Yelp's detect-secrets for easy migration
  • Memory Efficient: Automatically skips binary files and handles large codebases

Installation

npm install -g detect-secrets-js

Usage

Command Line

# Scan the current directory
detect-secrets-js

# Scan a specific directory
detect-secrets-js --directory ./src

# Exclude specific files or directories
detect-secrets-js --exclude-files "*.test.js,*.spec.js" --exclude-dirs "node_modules,dist"

# Check for potentially missed secrets
detect-secrets-js --check-missed

# Save results to a file
detect-secrets-js --output results.json

# Enable file size limits to prevent memory issues with very large files
detect-secrets-js --limit-file-size

# Set a custom maximum file size (in KB) when limits are enabled
detect-secrets-js --limit-file-size --max-file-size 2048

API

const detectSecrets = require('detect-secrets-js');

async function scanMyProject() {
  // Initialize the WebAssembly module (required before scanning)
  await detectSecrets.initialize();
  
  // Scan a directory
  const results = await detectSecrets.scanDirectory('./src', {
    excludeFiles: ['*.test.js', '*.spec.js'],
    excludeDirs: ['node_modules', 'dist'],
    checkMissed: true,
    limitFileSize: false,  // Set to true to enable file size limits
    maxFileSize: 2 * 1024 * 1024  // Custom max file size in bytes (2MB) when limits are enabled
  });
  
  console.log(`Found ${results.secrets.length} secrets`);
  
  // Scan a specific file
  const fileResults = await detectSecrets.scanFile('./config.js');
  
  // Scan a string
  const contentResults = await detectSecrets.scanContent(
    'const apiKey = "1234567890abcdef";', 
    'example.js'
  );
}

scanMyProject().catch(console.error);

Options

OptionCLI FlagDescription
directory-d, --directory <path>Directory to scan (default: current directory)
root-r, --rootScan from project root
excludeFiles-e, --exclude-files <patterns>File patterns to exclude (comma-separated)
excludeDirs-x, --exclude-dirs <patterns>Directory patterns to exclude (comma-separated)
checkMissed-m, --check-missedCheck for potentially missed secrets
verbose-v, --verboseInclude additional information
output-o, --output <file>Output file path
limitFileSize-l, --limit-file-sizeEnable file size limits to prevent memory issues
maxFileSize--max-file-size <size>Maximum file size to scan in KB (default: no limit)

How It Works

This package implements the same secret detection patterns as Yelp's detect-secrets but uses WebAssembly technology to eliminate the Python dependency. The scanning is performed using a combination of regex patterns to detect common secret formats.

The first time you run the tool, it will download and initialize the WebAssembly environment. This may take a few seconds, but subsequent runs will be faster.

Memory Management

By default, the tool will scan all files regardless of size, but you can enable memory protection features:

  1. Binary File Detection: Automatically skips binary files like images, executables, and compressed files
  2. Optional Size Limits: Use --limit-file-size to enable file size limits
  3. Custom Size Limits: Set your own maximum file size with --max-file-size
  4. Automatic Truncation: Very large text files can be truncated to prevent memory issues

Types of Secrets Detected

The tool can detect a wide range of secrets, including:

  • API Keys (Google, Stripe, etc.)
  • AWS Access Keys and Secret Keys
  • Private Keys (RSA, DSA, etc.)
  • Database Connection Strings
  • JWT Tokens
  • GitHub Tokens
  • OAuth Tokens
  • Generic Passwords and Secrets

Testing

You can run basic tests with:

cd wasm-version
npm run build
node test/test.js

Comparison with Yelp's detect-secrets

This package is inspired by and compatible with Yelp's detect-secrets but offers several advantages:

  1. No Python Dependency: Works without requiring Python installation
  2. Easier Installation: Simple npm installation process
  3. JavaScript Native: Fully integrated with Node.js ecosystem
  4. Similar Detection Patterns: Implements the same secret detection patterns
  5. Memory Efficient: Better handling of large repositories and binary files

Version History

v2.1.1

  • Removed example files containing secrets to avoid GitHub secret scanning
  • Updated test files to use safe example values
  • Fixed repository URLs

v2.1.0

  • Removed default file size limits to scan all files by default
  • Added comprehensive secret type documentation
  • Fixed minor bugs and improved error handling

v2.0.0

  • Complete rewrite using WebAssembly technology
  • Removed Python dependency requirement
  • Enhanced pattern matching for better secret detection
  • Improved performance and cross-platform compatibility
  • Added memory-efficient handling of large repositories

License

MIT