secure-scan-js

secure-scan-js

A JavaScript implementation of Yelp's detect-secrets tool, with no Python dependency required.

This package provides the same functionality as Yelp's detect-secrets but implemented in JavaScript using WebAssembly technology, eliminating the need for Python installation.

Features

• No Python Required: Uses WebAssembly to run the scanning code directly in Node.js
• Easy Installation: Simple npm installation with no external dependencies
• Fast Scanning: Efficiently scans files and directories for secrets
• Customizable: Configure exclusions, scan specific directories, and more
• False Positive Detection: Identifies likely false positives to reduce noise
• Missed Secret Detection: Optional detection of patterns that might be missed by the main scanner
• Compatible API: Similar interface to Yelp's detect-secrets for easy migration
• Memory Efficient: Automatically skips binary files and handles large codebases

Installation

npm install -g secure-scan-js

Usage

Command Line

# Scan the current directory
secure-scan-js

# Scan a specific directory
secure-scan-js --directory ./src

# Exclude specific files or directories
secure-scan-js --exclude-files "*.test.js,*.spec.js" --exclude-dirs "node_modules,dist"

# Check for potentially missed secrets
secure-scan-js --check-missed

# Save results to a file
secure-scan-js --output results.json

# Enable file size limits to prevent memory issues with very large files
secure-scan-js --limit-file-size

# Set a custom maximum file size (in KB) when limits are enabled
secure-scan-js --limit-file-size --max-file-size 2048

API

const detectSecrets = require("secure-scan-js");

async function scanMyProject() {
	// Initialize the WebAssembly module (required before scanning)
	await detectSecrets.initialize();

	// Scan a directory
	const results = await detectSecrets.scanDirectory("./src", {
		excludeFiles: ["*.test.js", "*.spec.js"],
		excludeDirs: ["node_modules", "dist"],
		checkMissed: true,
		limitFileSize: false, // Set to true to enable file size limits
		maxFileSize: 2 * 1024 * 1024, // Custom max file size in bytes (2MB) when limits are enabled
	});

	console.log(`Found ${results.secrets.length} secrets`);

	// Scan a specific file
	const fileResults = await detectSecrets.scanFile("./config.js");

	// Scan a string
	const contentResults = await detectSecrets.scanContent(
		'const apiKey = "1234567890abcdef";',
		"example.js"
	);
}

scanMyProject().catch(console.error);

Options

Option	CLI Flag	Description
directory	-d, --directory <path>	Directory to scan (default: current directory)
root	-r, --root	Scan from project root
excludeFiles	-e, --exclude-files <patterns>	File patterns to exclude (comma-separated)
excludeDirs	-x, --exclude-dirs <patterns>	Directory patterns to exclude (comma-separated)
checkMissed	-m, --check-missed	Check for potentially missed secrets
verbose	-v, --verbose	Include additional information
output	-o, --output <file>	Output file path
limitFileSize	-l, --limit-file-size	Enable file size limits to prevent memory issues
maxFileSize	--max-file-size <size>	Maximum file size to scan in KB (default: no limit)

How It Works

This package implements the same secret detection patterns as Yelp's detect-secrets but uses WebAssembly technology to eliminate the Python dependency. The scanning is performed using a combination of regex patterns to detect common secret formats.

The first time you run the tool, it will download and initialize the WebAssembly environment. This may take a few seconds, but subsequent runs will be faster.

Memory Management

By default, the tool will scan all files regardless of size, but you can enable memory protection features:

• Binary File Detection: Automatically skips binary files like images, executables, and compressed files
• Optional Size Limits: Use --limit-file-size to enable file size limits
• Custom Size Limits: Set your own maximum file size with --max-file-size
• Automatic Truncation: Very large text files can be truncated to prevent memory issues

Types of Secrets Detected

The tool can detect a wide range of secrets, including:

• API Keys (Google, Stripe, etc.)
• AWS Access Keys and Secret Keys
• Private Keys (RSA, DSA, etc.)
• Database Connection Strings
• JWT Tokens
• GitHub Tokens
• OAuth Tokens
• Generic Passwords and Secrets

Testing

You can run basic tests with:

cd wasm-version
npm run build
node test/test.js

Comparison with Yelp's detect-secrets

This package is inspired by and compatible with Yelp's detect-secrets but offers several advantages:

• No Python Dependency: Works without requiring Python installation
• Easier Installation: Simple npm installation process
• JavaScript Native: Fully integrated with Node.js ecosystem
• Similar Detection Patterns: Implements the same secret detection patterns
• Memory Efficient: Better handling of large repositories and binary files

Version History

v2.1.1

• Removed example files containing secrets to avoid GitHub secret scanning
• Updated test files to use safe example values
• Fixed repository URLs

v2.1.0

• Removed default file size limits to scan all files by default
• Added comprehensive secret type documentation
• Fixed minor bugs and improved error handling

v2.0.0

• Complete rewrite using WebAssembly technology
• Removed Python dependency requirement
• Enhanced pattern matching for better secret detection
• Improved performance and cross-platform compatibility
• Added memory-efficient handling of large repositories

License

MIT