detect-secrets-js

detect-secrets-js

A JavaScript wrapper for Yelp's detect-secrets tool to scan codebases for secrets.

Installation

You can install the package globally:

npm install -g detect-secrets-js

Or as a development dependency in your project:

npm install --save-dev detect-secrets-js

Prerequisites

• Node.js 12 or higher
• Python 3.6 or higher
• pip (Python package manager)

The installation process will automatically install the required Python dependencies.

Usage

Command Line

After installing the package, you can use the detect-secrets-js command:

detect-secrets-js [directory] [options]

If no directory is specified, the current directory will be scanned.

Options

• -r, --root: Scan from project root
• -c, --check-missed: Check for potentially missed secrets
• -v, --verbose: Include additional information
• -o, --output <file>: Output file path
• -ef, --exclude-files <patterns...>: File patterns to exclude
• -ed, --exclude-dirs <patterns...>: Directory patterns to exclude
• --version: Show version number
• --help: Show help

Examples

Scan the current directory:

detect-secrets-js

Scan from project root and check for missed secrets:

detect-secrets-js -r -c

Exclude certain files and directories:

detect-secrets-js -ef "*.md" "*.txt" -ed ".git" "node_modules"

Save results to a file:

detect-secrets-js -o results.txt

Programmatic Usage

You can also use the package programmatically in your Node.js code:

const { scanForSecrets } = require('detect-secrets-js');

async function findSecrets() {
  try {
    const results = await scanForSecrets({
      directory: './src',
      root: true,
      checkMissed: true,
      excludeDirs: ['node_modules', 'dist']
    });
    
    console.log(results);
  } catch (error) {
    console.error('Error scanning for secrets:', error);
  }
}

findSecrets();

Features

• Uses Yelp's detect-secrets for reliable secret detection
• Identifies common secrets like API keys, passwords, and access tokens
• Handles false positives with a basic heuristic system
• Includes a supplementary scanner to catch secrets that might be missed
• Provides file names and line numbers for each detected secret
• Groups multiple detections by file and line for cleaner output
• Supports excluding specific files and directories
• Offers verbose output option for more details
• Can scan the entire project from the root directory
• Available as both a CLI tool and a Node.js library

Output Format

The scanner outputs results in a grouped format:

File: path/to/file.py
Line: 42
Types: Base64 High Entropy String, Secret Keyword

This format shows:

• The file path where the secret was found
• The line number in the file
• All types of secrets detected on that line (grouped to avoid duplication)

Limitations

• The false positive detection is basic and would need refinement for production use
• Some legitimate secrets might be missed (false negatives)
• The supplementary scanner uses simple regex patterns that might need customization
• Binary files are skipped to avoid processing errors
• Requires Python to be installed on the system

License

MIT

Test Files

The repository includes test files in the test_files directory that contain various types of secrets for testing purposes:

• config.py: Contains API keys, database connection strings, and other configuration values
• example.json: Contains AWS access keys and other JSON-formatted secrets