detect-secrets-js

detect-secrets-js

A JavaScript implementation of Yelp's detect-secrets tool, with no Python dependency required.

This package provides the same functionality as Yelp's detect-secrets but implemented in JavaScript using WebAssembly technology, eliminating the need for Python installation.

Features

• No Python Required: Uses WebAssembly to run the scanning code directly in Node.js
• Easy Installation: Simple npm installation with no external dependencies
• Fast Scanning: Efficiently scans files and directories for secrets
• Customizable: Configure exclusions, scan specific directories, and more
• False Positive Detection: Identifies likely false positives to reduce noise
• Missed Secret Detection: Optional detection of patterns that might be missed by the main scanner
• Compatible API: Similar interface to Yelp's detect-secrets for easy migration
• Memory Efficient: Automatically skips binary files and handles large codebases

Installation

npm install -g detect-secrets-js

Usage

Command Line

# Scan the current directory
detect-secrets-js

# Scan a specific directory
detect-secrets-js --directory ./src

# Exclude specific files or directories
detect-secrets-js --exclude-files "*.test.js,*.spec.js" --exclude-dirs "node_modules,dist"

# Check for potentially missed secrets
detect-secrets-js --check-missed

# Save results to a file
detect-secrets-js --output results.json

# Enable file size limits to prevent memory issues with very large files
detect-secrets-js --limit-file-size

# Set a custom maximum file size (in KB) when limits are enabled
detect-secrets-js --limit-file-size --max-file-size 2048

API

const detectSecrets = require('detect-secrets-js');

async function scanMyProject() {
  // Initialize the WebAssembly module (required before scanning)
  await detectSecrets.initialize();
  
  // Scan a directory
  const results = await detectSecrets.scanDirectory('./src', {
    excludeFiles: ['*.test.js', '*.spec.js'],
    excludeDirs: ['node_modules', 'dist'],
    checkMissed: true,
    limitFileSize: false,  // Set to true to enable file size limits
    maxFileSize: 2 * 1024 * 1024  // Custom max file size in bytes (2MB) when limits are enabled
  });
  
  console.log(`Found ${results.secrets.length} secrets`);
  
  // Scan a specific file
  const fileResults = await detectSecrets.scanFile('./config.js');
  
  // Scan a string
  const contentResults = await detectSecrets.scanContent(
    'const apiKey = "1234567890abcdef";', 
    'example.js'
  );
}

scanMyProject().catch(console.error);

Options

Option	CLI Flag	Description
directory	-d, --directory <path>	Directory to scan (default: current directory)
root	-r, --root	Scan from project root
excludeFiles	-e, --exclude-files <patterns>	File patterns to exclude (comma-separated)
excludeDirs	-x, --exclude-dirs <patterns>	Directory patterns to exclude (comma-separated)
checkMissed	-m, --check-missed	Check for potentially missed secrets
verbose	-v, --verbose	Include additional information
output	-o, --output <file>	Output file path
limitFileSize	-l, --limit-file-size	Enable file size limits to prevent memory issues
maxFileSize	--max-file-size <size>	Maximum file size to scan in KB (default: no limit)

How It Works

This package implements the same secret detection patterns as Yelp's detect-secrets but uses WebAssembly technology to eliminate the Python dependency. The scanning is performed using a combination of regex patterns to detect common secret formats.

The first time you run the tool, it will download and initialize the WebAssembly environment. This may take a few seconds, but subsequent runs will be faster.

Memory Management

By default, the tool will scan all files regardless of size, but you can enable memory protection features:

• Binary File Detection: Automatically skips binary files like images, executables, and compressed files
• Optional Size Limits: Use --limit-file-size to enable file size limits
• Custom Size Limits: Set your own maximum file size with --max-file-size
• Automatic Truncation: Very large text files can be truncated to prevent memory issues

Types of Secrets Detected

The tool can detect a wide range of secrets, including:

• API Keys (Google, Stripe, etc.)
• AWS Access Keys and Secret Keys
• Private Keys (RSA, DSA, etc.)
• Database Connection Strings
• JWT Tokens
• GitHub Tokens
• OAuth Tokens
• Generic Passwords and Secrets

For a comprehensive list of all secret types detected, see the Secret Types Documentation.

Testing

The package includes test files with examples of various secret types:

• wasm-version/test/test-file.js: Basic test file with common secrets
• wasm-version/test/secret-examples.js: Comprehensive examples of many secret types

You can run the tests with:

cd wasm-version
npm run build
node test/test.js          # Basic test
node test/test-examples.js # Comprehensive test

Comparison with Yelp's detect-secrets

This package is inspired by and compatible with Yelp's detect-secrets but offers several advantages:

• No Python Dependency: Works without requiring Python installation
• Easier Installation: Simple npm installation process
• JavaScript Native: Fully integrated with Node.js ecosystem
• Similar Detection Patterns: Implements the same secret detection patterns
• Memory Efficient: Better handling of large repositories and binary files

Version History

v2.0.1

• Removed default file size limits to scan all files by default
• Added comprehensive secret type documentation
• Added additional test files with examples of various secret types
• Fixed minor bugs and improved error handling

v2.0.0

• Complete rewrite using WebAssembly technology
• Removed Python dependency requirement
• Enhanced pattern matching for better secret detection
• Improved performance and cross-platform compatibility
• Added memory-efficient handling of large repositories

License

MIT