detect-secrets
Advanced tools
A developer-friendly secrets detection tool for CI and pre-commit hooks based on Yelp's detect-secrets
A developer-friendly secrets detection tool for CI and pre-commit hooks
The detect-secrets npm package is a Node.js-based wrapper for Yelp's detect-secrets tool that aims to provide an accessible and developer-friendly method of introducing secrets detection in pre-commit hooks.
Yelp's detect-secrets is based on Python and requires explicit installation from developers. Moreover, its installation may be challenging in different operating systems. detect-secrets aims to alleviate this challenge by:
If it fails it continues to:
If this fails as well:
--
The above described fallback strategy is used to find an available method of executing the detect-secrets tool to protect the developer from leaking secrets into source code control.
npm install --save detect-secrets
This will expose detect-secrets-launcher Node.js executable file.
Another way to invoke it is with npx which will download and execute the detect-secrets wrapper on the fly:
npx detect-secrets [arguments]
If you're using husky to manage pre-commit hooks configuration, then enabling secrets detection is as simple as adding another hook entry.
"husky": {
"hooks": {
"pre-commit": "detect-secrets-launcher src/*"
}
}
If you're using husky and lint-staged to manage pre-commit hooks configuration and running static code analysis on staged files, then enabling secrets detection is as simple as adding another lint-staged entry.
A typical setup will look like this as an example:
"husky": {
"hooks": {
"pre-commit": "lint-staged"
},
},
"lint-staged": {
"linters": {
"**/*.js": [
"detect-secrets-launcher --baseline .secrets-baseline"
]
}
}
If you're not using a baseline file (it is created using Yelp's server-side detect-secrets tool) then you can simply omit this out and keep it as simple as detect-secrets-launcher.
To scan the index.js file within a repository for the potential of leaked secrets inside it run the following:
detect-secrets-launcher index.js
Note that index.js has to be staged and versioned control. Any other plain file that is not known to git will not be scanned.
Please consult CONTIRBUTING for guidelines on contributing to this project.
detect-secrets © Liran Tal, Released under the Apache-2.0 License.
FAQs
A developer-friendly secrets detection tool for CI and pre-commit hooks based on Yelp's detect-secrets
The npm package detect-secrets receives a total of 4,094 weekly downloads. As such, detect-secrets popularity was classified as popular.
We found that detect-secrets demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Multiple high-impact npm maintainers confirm they have been targeted in the same social engineering campaign that compromised Axios.
Security News
Axios compromise traced to social engineering, showing how attacks on maintainers can bypass controls and expose the broader software supply chain.
Security News
Node.js has paused its bug bounty program after funding ended, removing payouts for vulnerability reports but keeping its security process unchanged.