Secrets detector is a tool that finds secrets like AWS keys, API secrets, and tokens. It does so by looking at all the files in the current folder and attempting to match them against a list of secret signatures.
Secrets scanner is a stand-alone package written purely in node-js and does not have any dependency on python or other secret scanner utilities.
To install the secrets scanner globally, run the following command in the terminal.
npm install -g secrets-scanner
If you have to install it as a development time utility.
npm install --save-dev secrets-scanner
To execute the secrets scanning tool on a specific folder, run the following command in the terminal:
secrets-scanner
-
The scanner will check for secrets in all files in the current folder recursively.
-
The scanner will honor and ignore all files specified in .gitignore file. On completion, the command will succeed if it did not find any secrets.
If any secrets are detected, the command will exit with -1 and the offending secrets will be displayed:
secrets-scanner
Error! Secrets Detected in the following files:
src/a.json, line 32, col 21: password: pass
test/a.html, line 2, col 1: awsaccesskey: 23
Sometimes, the secret scanner may flag a line as offending, but it might be an essential component of code. In such cases, we can selectively specify secret scanner to ignore a specific line by placing a comment secrets-ignore above the offending line.
For eg. In a file below test.js , password=”pass” can be ignored by adding a line comment above the code as follows:
...
function test(){
//secrets-ignore
let password = "pass";
...
}
...
For python, bash:
#secrets-ignore
password="pass"
HTML:
<!-- secrets-ignore -->
password="pass"
CSS:
/* secrets-ignore */
JSON:
use additional configuration file below to exclude json keys from secret scanner.
Create a file secrets-scanner.json to specify additional configuration options. The configuration options are listed below:
{
"version": 1,
"gitIgnore": [true|false], // weather to honor git-ignore or not.
"jsonIgnore": {
// https://stackoverflow.com/questions/8481380/is-there-a-json-equivalent-of-xquery-xpath
"<file path1>": ["<jsonpath of key 1>", "jsonpath of key 2"...]
}
}
Since JSON does not support inline comments to ignore false positives, the configuration file can be used to ignore specific json keys. For example, consider the following json files:
// a.json
{"login":{
"pass": "pass"
}}
// src/b.json
{"login":{
"user":{"pass": "pass"}
}}
The secrets can be whitelisted using the following secrets-scanner.json configuration file:
{
"version": 1,
"gitIgnore": [true|false], // weather to honor git-ignore or not.
"jsonIgnore": {
"a.json": ["login.pass"],
"src/b.json": ["login.user.pass"]
}
}
The following language files will be scanned for secrets:
1.HTML
2.JS
This section is relevant only if you are developing or making changes to the secrets-scanner itself.
To run all tests:
> npm run test
Hello world Tests
✔ should return Hello World
#indexOf()
✔ should return -1 when the value is not present
Additionally, to run unit/integration tests only, use the commands:
> npm run test:unit
> npm run test:integ
To run all tests with coverage:
> npm run cover
Hello world Tests
✔ should return Hello World
#indexOf()
✔ should return -1 when the value is not present
2 passing (6ms)
----------|---------|----------|---------|---------|-------------------
File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
----------|---------|----------|---------|---------|-------------------
All files | 100 | 100 | 100 | 100 |
backup.js | 100 | 100 | 100 | 100 |
----------|---------|----------|---------|---------|-------------------
=============================== Coverage summary ===============================
Statements : 100% ( 5/5 )
Branches : 100% ( 2/2 )
Functions : 100% ( 1/1 )
Lines : 100% ( 5/5 )
================================================================================
Detailed unit test coverage report: file:///template-nodejs/coverage-unit/index.html
Detailed integration test coverage report: file:///template-nodejs/coverage-integration/index.html
After running coverage, detailed reports can be found in the coverage folder listed in the output of coverage command. Open the file in browser to view detailed reports.
To run unit/integration tests only with coverage
> npm run cover:unit
> npm run cover:integ
Unit and integration test coverage settings can be updated by configs .nycrc.unit.json
and .nycrc.integration.json
.
See https://github.com/istanbuljs/nyc for config options.