eslint-plugin-no-secrets
An eslint rule that searches for potential secrets/keys in code.
Usage
npm i -D eslint-plugin-no-secrets
.eslintrc
{
"plugins":["no-secrets"],
"rules":{
"no-secrets/no-secrets":"error"
}
}
const A_SECRET = "ZWVTjPQSdhwRgl204Hc51YCsritMIzn8B=/p9UyeX7xu6KkAGqfm3FJ+oObLDNEva";
const AWS_TOKEN = "AKIAIUWUUQQN3GNUA88V";
Config
Decrease the tolerance for entropy
{
"plugins":["no-secrets"],
"rules":{
"no-secrets/no-secrets":["error",{"tolerance":3.2}]
}
}
Add additional patterns to check for certain token formats.
Standard patterns can be found here
{
"plugins": ["no-secrets"],
"rules": {
"no-secrets/no-secrets": [
"error",
{ "additionalRegexes": { "Basic Auth": "Authorization: Basic [A-Za-z0-9+/=]*" } }
]
}
}
When it's really not a secret
const BASE64_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
2. use the ignoreContent
to ignore certain content
{
"plugins":["no-secrets"],
"rules":{
"no-secrets/no-secrets":["error",{"ignoreContent":"^ABCD"}]
}
}
3. Or use ignoreIdentifiers
to ignore certain variable/property names
{
"plugins":["no-secrets"],
"rules":{
"no-secrets/no-secrets":["error",{"ignoreIdentifiers":["BASE64_CHARS"]}]
}
}
This will tell future maintainers of the codebase that this suspicious string isn't an oversight
Options
Option | Description | Default | Type |
---|
tolerance | Maximum "randomness"/entropy allowed | 4 | number |
additionalRegexes | Object of additional patterns to check. Key is check name and value is corresponding pattern | {} | {[regexCheckName:string]:string | RegExp} |
ignoreContent | Will ignore the entire string if matched. Expects either a pattern or an array of patterns. This option takes precedent over additionalRegexes and the default regular expressions | [] | string | RegExp | (string|RegExp)[] |
ignoreModules | Ignores strings that are an argument in import() and require() or is the path in an import statement. | true | boolean |
ignoreIdentifiers | Ignores the values of properties and variables that match a pattern or an array of patterns. | [] | string | RegExp | (string|RegExp)[] |
Acknowledgements
Huge thanks to truffleHog for the inspiration, the regexes, and the measure of entropy.