├── .github ├── ISSUE_TEMPLATE.md ├── ISSUE_TEMPLATE │ ├── 1-bug-report.md │ ├── 2-feature-request.md │ └── 3-help.md └── PULL_REQUEST_TEMPLATE.md ├── .gitignore ├── .prettierrc.js ├── .travis.yml ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── __tests__ ├── cli.test.js ├── cli.unit.test.js ├── executeStrategy.test.js └── isExecutableAvailableInPath.test.js ├── bin └── detect-secrets-launcher.js ├── jsdoc.json ├── package-lock.json ├── package.json └── src ├── cli.js └── strategies.js /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 6 | 7 | - **Library Version**: 8 | - **OS**: 9 | - **Node.js Version**: 10 | 11 | 12 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/1-bug-report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "\U0001F41B Bug report" 3 | about: Create a bug report 4 | --- 5 | 6 | 7 | 8 | ## Expected Behavior 9 | 10 | 11 | 12 | 13 | ## Current Behavior 14 | 15 | 16 | 17 | 18 | ## Possible Solution 19 | 20 | 21 | 22 | 23 | ## Steps to Reproduce (for bugs) 24 | 25 | 26 | 27 | 28 | 1. 29 | 2. 30 | 3. 31 | 4. 32 | 33 | ## Context 34 | 35 | 36 | 37 | 38 | ## Your Environment 39 | 40 | 41 | 42 | - Library Version used: 43 | - Node.js version (e.g. Node.js 5.4): 44 | - Operating System and version (desktop or mobile): 45 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/2-feature-request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "\U0001F680 Feature request" 3 | about: Suggest an idea for this project 4 | --- 5 | 6 | 11 | 12 | **Is your feature request related to a problem? Please describe.** 13 | Please describe the problem you are trying to solve. 14 | 15 | **Describe the solution you'd like** 16 | Please describe the desired behavior. 17 | 18 | **Describe alternatives you've considered** 19 | Please describe alternative solutions or features you have considered. 20 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/3-help.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: '⁉️ Need help?' 3 | about: Please describe the problem. 4 | --- 5 | 6 | 9 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Description 4 | 5 | 6 | 7 | ## Types of changes 8 | 9 | 10 | 11 | - [ ] Bug fix (non-breaking change which fixes an issue) 12 | - [ ] New feature (non-breaking change which adds functionality) 13 | - [ ] Breaking change (fix or feature that would cause existing functionality to change) 14 | 15 | ## Related Issue 16 | 17 | 18 | 19 | 20 | 21 | 22 | ## Motivation and Context 23 | 24 | 25 | 26 | ## How Has This Been Tested? 27 | 28 | 29 | 30 | 31 | 32 | 33 | ## Screenshots (if appropriate): 34 | 35 | ## Checklist: 36 | 37 | 38 | 39 | 40 | - [ ] I have updated the documentation (if required). 41 | - [ ] I have read the **CONTRIBUTING** document. 42 | - [ ] I have added tests to cover my changes. 43 | - [ ] All new and existing tests passed. 44 | - [ ] I added a picture of a cute animal cause it's fun 45 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Logs 2 | logs 3 | *.log 4 | npm-debug.log* 5 | yarn-debug.log* 6 | yarn-error.log* 7 | 8 | # Runtime data 9 | pids 10 | *.pid 11 | *.seed 12 | *.pid.lock 13 | 14 | # Directory for instrumented libs generated by jscoverage/JSCover 15 | lib-cov 16 | 17 | # Coverage directory used by tools like istanbul 18 | coverage 19 | 20 | # nyc test coverage 21 | .nyc_output 22 | 23 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 24 | .grunt 25 | 26 | # Bower dependency directory (https://bower.io/) 27 | bower_components 28 | 29 | # node-waf configuration 30 | .lock-wscript 31 | 32 | # Compiled binary addons (https://nodejs.org/api/addons.html) 33 | build/Release 34 | 35 | # Dependency directories 36 | node_modules/ 37 | jspm_packages/ 38 | 39 | # TypeScript v1 declaration files 40 | typings/ 41 | 42 | # Optional npm cache directory 43 | .npm 44 | 45 | # Optional eslint cache 46 | .eslintcache 47 | 48 | # Optional REPL history 49 | .node_repl_history 50 | 51 | # Output of 'npm pack' 52 | *.tgz 53 | 54 | # Yarn Integrity file 55 | .yarn-integrity 56 | 57 | # dotenv environment variables file 58 | .env 59 | .env.test 60 | 61 | # parcel-bundler cache (https://parceljs.org/) 62 | .cache 63 | 64 | # next.js build output 65 | .next 66 | 67 | # nuxt.js build output 68 | .nuxt 69 | 70 | # vuepress build output 71 | .vuepress/dist 72 | 73 | # Serverless directories 74 | .serverless/ 75 | 76 | # FuseBox cache 77 | .fusebox/ 78 | 79 | # DynamoDB Local files 80 | .dynamodb/ 81 | -------------------------------------------------------------------------------- /.prettierrc.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | printWidth: 100, 3 | tabWidth: 2, 4 | singleQuote: true, 5 | semi: false, 6 | trailingComma: 'none', 7 | useTabs: false, 8 | bracketSpacing: false 9 | } 10 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: node_js 2 | node_js: 3 | - '8' 4 | - '10' 5 | before_script: 6 | - npm run lint 7 | install: 8 | - npm install --ignore-engines 9 | - npm install -g codecov 10 | script: 11 | - npm test 12 | - codecov 13 | after_success: 14 | - npm run semantic-release 15 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | education, socio-economic status, nationality, personal appearance, race, 10 | religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | - Using welcoming and inclusive language 18 | - Being respectful of differing viewpoints and experiences 19 | - Gracefully accepting constructive criticism 20 | - Focusing on what is best for the community 21 | - Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | - The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | - Trolling, insulting/derogatory comments, and personal or political attacks 28 | - Public or private harassment 29 | - Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | - Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at liran.tal@gmail.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | :+1::tada: First off, thanks for taking the time to contribute! :tada::+1: 4 | 5 | The following is a set of guidelines for contributing to detect-secrets. 6 | These are mostly guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request. 7 | 8 | ## Code of Conduct 9 | 10 | This project and everyone participating in it is governed by a [Code of Conduct](./CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. 11 | 12 | ## How to contribute to detect-secrets 13 | 14 | 15 | 16 | ### Tests 17 | 18 | Make sure you the code you're adding has decent test coverage. 19 | 20 | Running project tests and coverage: 21 | 22 | ```bash 23 | npm run test 24 | ``` 25 | 26 | ### Commit Guidelines 27 | 28 | The project uses the commitizen tool for standardizing changelog style commit 29 | messages so you should follow it as so: 30 | 31 | ```bash 32 | git add . # add files to staging 33 | npm run commit # use the wizard for the commit message 34 | ``` 35 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | https://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | Copyright 2019 Liran Tal . 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | https://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | detect-secrets 3 |

4 | 5 |

6 | A developer-friendly secrets detection tool for CI and pre-commit hooks 7 |

8 | 9 |

10 | npm version 11 | license 12 | downloads 13 | build 14 | codecov 15 | Known Vulnerabilities 16 | Security Responsible Disclosure 17 |

18 | 19 | # About 20 | 21 | The `detect-secrets` npm package is a Node.js-based wrapper for Yelp's [detect-secrets](https://github.com/Yelp/detect-secrets) tool that aims to provide an accessible and developer-friendly method of introducing secrets detection in pre-commit hooks. 22 | 23 | Yelp's detect-secrets is based on Python and requires explicit installation from developers. Moreover, its installation may be challenging in different operating systems. `detect-secrets` aims to alleviate this challenge by: 24 | 25 | 1. Attempt to locate Yelp's detect-secrets tool, and if it exists in the path to execute it. 26 | 27 | If it fails it continues to: 28 | 29 | 2. Attempt to locate the docker binary and if it exists it will download and execute the docker container for [lirantal/detect-secrets](https://github.com/lirantal/docker-detect-secrets) which has Yelp's detect-secrets inside the image. 30 | 31 | If this fails as well: 32 | 33 | 3. Exit with a warning message 34 | 35 | -- 36 | 37 | The above described fallback strategy is used to find an available method of executing the detect-secrets tool to protect the developer from leaking secrets into source code control. 38 | 39 | # Install 40 | 41 | ```bash 42 | npm install --save detect-secrets 43 | ``` 44 | 45 | This will expose `detect-secrets-launcher` Node.js executable file. 46 | 47 | Another way to invoke it is with npx which will download and execute the detect-secrets wrapper on the fly: 48 | 49 | ```bash 50 | npx detect-secrets [arguments] 51 | ``` 52 | 53 | # Usage 54 | 55 | If you're using `husky` to manage pre-commit hooks configuration, then enabling secrets detection is as simple as adding another hook entry. 56 | 57 | ```js 58 | "husky": { 59 | "hooks": { 60 | "pre-commit": "detect-secrets-launcher src/*" 61 | } 62 | } 63 | ``` 64 | 65 | If you're using `husky` and `lint-staged` to manage pre-commit hooks configuration and running static code analysis on staged files, then enabling secrets detection is as simple as adding another lint-staged entry. 66 | 67 | A typical setup will look like this as an example: 68 | 69 | ```js 70 | "husky": { 71 | "hooks": { 72 | "pre-commit": "lint-staged" 73 | }, 74 | }, 75 | "lint-staged": { 76 | "linters": { 77 | "**/*.js": [ 78 | "detect-secrets-launcher --baseline .secrets-baseline" 79 | ] 80 | } 81 | } 82 | ``` 83 | 84 | If you're not using a baseline file (it is created using Yelp's server-side detect-secrets tool) then you can simply omit this out and keep it as simple as `detect-secrets-launcher`. 85 | 86 | # Example 87 | 88 | To scan the `index.js` file within a repository for the potential of leaked secrets inside it run the following: 89 | 90 | ```bash 91 | detect-secrets-launcher index.js 92 | ``` 93 | 94 | Note that `index.js` has to be staged and versioned control. Any other plain file that is not known to git will not be scanned. 95 | 96 | # Contributing 97 | 98 | Please consult [CONTIRBUTING](./CONTRIBUTING.md) for guidelines on contributing to this project. 99 | 100 | # Author 101 | 102 | **detect-secrets** © [Liran Tal](https://github.com/lirantal), Released under the [Apache-2.0](./LICENSE) License. 103 | -------------------------------------------------------------------------------- /__tests__/cli.test.js: -------------------------------------------------------------------------------- 1 | /* eslint-disable security/detect-child-process */ 2 | 'use strict' 3 | 4 | const cli = require('../src/cli') 5 | 6 | describe('detect-secrets-launcher CLI', () => { 7 | test('when successful to spawn detect-secrets-hook should use exit code 1', () => { 8 | const executableStrategies = [ 9 | { 10 | type: 'ls', 11 | filePath: 'ls' 12 | } 13 | ] 14 | 15 | const result = cli.start(executableStrategies) 16 | expect(result.strategyExitCode).toBe(0) 17 | expect(result.strategiesInvoked).toBe(true) 18 | }) 19 | 20 | test('when failed to spawn executable should return exit code 1', () => { 21 | const executableStrategies = [ 22 | { 23 | type: 'made up command', 24 | filePath: 'ls', 25 | // fake command arguments to make 'ls' command fail 26 | prefixCommandArguments: ['-ala-s33s'] 27 | } 28 | ] 29 | 30 | const result = cli.start(executableStrategies) 31 | expect(result.strategyExitCode).not.toBe(0) 32 | expect(result.strategiesInvoked).toBe(true) 33 | }) 34 | 35 | test('should not invoke strategy when not existing', () => { 36 | const executableStrategies = [ 37 | { 38 | type: 'made up command', 39 | filePath: 'made up command' 40 | } 41 | ] 42 | 43 | const result = cli.start(executableStrategies) 44 | expect(result.strategiesInvoked).toBe(false) 45 | }) 46 | }) 47 | -------------------------------------------------------------------------------- /__tests__/cli.unit.test.js: -------------------------------------------------------------------------------- 1 | 'use strict' 2 | 3 | describe('Unit testing CLI', () => { 4 | beforeEach(() => { 5 | jest.resetModules() 6 | }) 7 | 8 | test('should only invoke one strategy if more than one exists', () => { 9 | jest.doMock('../src/strategies.js', () => { 10 | return { 11 | executeStrategy: jest.fn(() => { 12 | return 0 13 | }), 14 | isExecutableAvailableInPath: jest.fn(() => { 15 | return true 16 | }) 17 | } 18 | }) 19 | const strategies = require('../src/strategies') 20 | const cli = require('../src/cli') 21 | 22 | const executableStrategies = [ 23 | { 24 | type: 'ls', 25 | filePath: 'ls' 26 | }, 27 | { 28 | type: 'ls', 29 | filePath: 'ls' 30 | } 31 | ] 32 | 33 | const result = cli.start(executableStrategies) 34 | expect(result.strategiesInvoked).toEqual(true) 35 | expect(strategies.executeStrategy.mock.calls.length).toBe(1) 36 | }) 37 | }) 38 | -------------------------------------------------------------------------------- /__tests__/executeStrategy.test.js: -------------------------------------------------------------------------------- 1 | /* eslint-disable security/detect-child-process */ 2 | 'use strict' 3 | 4 | const ChildProcess = require('child_process') 5 | jest.mock('child_process', () => { 6 | return { 7 | spawnSync: jest.fn() 8 | } 9 | }) 10 | 11 | process.exit = jest.fn() 12 | 13 | const {executeStrategy} = require('../src/strategies') 14 | 15 | describe('Strategies: executeStrategy', () => { 16 | beforeAll(() => { 17 | process.exit.mockClear() 18 | ChildProcess.spawnSync.mockClear() 19 | ChildProcess.spawnSync.mockReset() 20 | }) 21 | 22 | test('when no arguments provided it shouldnt add anything to the spawned process', () => { 23 | process.argv = [] 24 | 25 | const mockStrategy = { 26 | type: 'ls', 27 | filePath: 'ls' 28 | } 29 | 30 | ChildProcess.spawnSync = jest.fn(() => { 31 | return { 32 | status: 0, 33 | stdout: '', 34 | stderr: '' 35 | } 36 | }) 37 | 38 | const exitCode = executeStrategy(mockStrategy) 39 | 40 | expect(exitCode).toBe(0) 41 | expect(ChildProcess.spawnSync.mock.calls.length).toBe(1) 42 | expect(ChildProcess.spawnSync.mock.calls[0][1]).toEqual([]) 43 | }) 44 | 45 | test('when arguments provided it should add them to the arguments of the command being spawned', () => { 46 | process.argv = [] 47 | 48 | const mockedArguments = ['a', 'b', 'c'] 49 | const mockStrategy = { 50 | type: 'ls', 51 | filePath: 'ls', 52 | prefixCommandArguments: mockedArguments 53 | } 54 | 55 | ChildProcess.spawnSync = jest.fn(() => { 56 | return { 57 | status: 1, 58 | stdout: '', 59 | stderr: '' 60 | } 61 | }) 62 | 63 | const exitCode = executeStrategy(mockStrategy) 64 | 65 | expect(exitCode).toBe(1) 66 | expect(ChildProcess.spawnSync.mock.calls.length).toBe(1) 67 | expect(ChildProcess.spawnSync.mock.calls[0][1]).toEqual(mockedArguments) 68 | }) 69 | }) 70 | -------------------------------------------------------------------------------- /__tests__/isExecutableAvailableInPath.test.js: -------------------------------------------------------------------------------- 1 | 'use strict' 2 | 3 | const {isExecutableAvailableInPath} = require('../src/strategies') 4 | 5 | describe('Strategies: isExecutableAvailableInPath', () => { 6 | test('should find a binary and result in success', () => { 7 | const executable = 'ls' 8 | const result = isExecutableAvailableInPath(executable) 9 | expect(result).toBe(true) 10 | }) 11 | 12 | test('should not find a made up binary name and result in error', () => { 13 | const executable = 'c3c3c2' 14 | const result = isExecutableAvailableInPath(executable) 15 | expect(result).toBe(false) 16 | }) 17 | }) 18 | -------------------------------------------------------------------------------- /bin/detect-secrets-launcher.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | /* eslint-disable no-process-exit */ 3 | const debug = require('debug')('detect-secrets') 4 | const pkg = require('../package.json') 5 | const cli = require('../src/cli') 6 | 7 | const PYTHON_PACKAGE_EXEC = 'detect-secrets-hook' 8 | const DOCKER_EXEC = 'docker' 9 | const DOCKER_IMAGE_NAME = 'lirantal/detect-secrets' 10 | 11 | const pwd = process.cwd() 12 | const executableStrategies = [ 13 | { 14 | type: 'python', 15 | filePath: PYTHON_PACKAGE_EXEC 16 | }, 17 | { 18 | type: 'docker', 19 | filePath: DOCKER_EXEC, 20 | prefixCommandArguments: [ 21 | 'run', 22 | '--rm', 23 | '--volume', 24 | `${pwd}:/usr/src/app`, 25 | `${DOCKER_IMAGE_NAME}` 26 | ] 27 | } 28 | ] 29 | 30 | debug(`${pkg.name} ${pkg.version}`) 31 | const {strategyExitCode, strategiesInvoked} = cli.start(executableStrategies) 32 | if (strategiesInvoked) { 33 | process.exit(strategyExitCode) 34 | } else { 35 | console.log(`${pkg.name} ${pkg.version}`) 36 | console.log('WARNING: could not execute tool to prevent you from committing secrets') 37 | console.log( 38 | 'to remedy the situation and enable secrets detection in your commits, consider one of:' 39 | ) 40 | console.log( 41 | ' 1. follow instructions on https://github.com/Yelp/detect-secrets to install detect-secrets' 42 | ) 43 | console.log(' 2. install docker and this Node.js CLI will use it to execute an image') 44 | console.log('') 45 | } 46 | -------------------------------------------------------------------------------- /jsdoc.json: -------------------------------------------------------------------------------- 1 | { 2 | "tags": { 3 | "allowUnknownTags": true, 4 | "dictionaries": ["jsdoc", "closure"] 5 | }, 6 | "source": { 7 | "include": ["./index.js"], 8 | "exclude": ["./node_modules", "./.nyc_output", "./coverage", "./out", "./tests"], 9 | "includePattern": ".+\\.js(doc|x)?$", 10 | "excludePattern": "(^|\\/|\\\\)_" 11 | }, 12 | "plugins": [], 13 | "templates": {}, 14 | "opts": { 15 | "destination": "./out", 16 | "recurse": true, 17 | "private": true 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "detect-secrets", 3 | "version": "0.0.0-development", 4 | "description": "A developer-friendly secrets detection tool for CI and pre-commit hooks based on Yelp's detect-secrets", 5 | "bin": { 6 | "detect-secrets-launcher": "./bin/detect-secrets-launcher.js" 7 | }, 8 | "engines": { 9 | "node": ">=8.0.0" 10 | }, 11 | "scripts": { 12 | "lint": "eslint .", 13 | "lint:fix": "eslint . --fix", 14 | "format": "prettier-standard '**/*.js'", 15 | "test": "jest", 16 | "test:watch": "jest --watch", 17 | "coverage:view": "open-cli coverage/lcov-report/index.html", 18 | "commit": "git-cz", 19 | "docs": "npm run docs:code && npm run docs:api", 20 | "docs:api": "doxdox *.js --layout bootstrap --output docs/index.html", 21 | "docs:code": "docco *.js --output docs/code", 22 | "semantic-release": "semantic-release" 23 | }, 24 | "author": { 25 | "name": "Liran Tal", 26 | "email": "liran.tal@gmail.com", 27 | "url": "https://github.com/lirantal" 28 | }, 29 | "license": "Apache-2.0", 30 | "keywords": [ 31 | "secrets", 32 | "precommit", 33 | "leak", 34 | "git", 35 | "credentials", 36 | "yelp", 37 | "detect-secrets" 38 | ], 39 | "homepage": "https://github.com/lirantal/detect-secrets", 40 | "bugs": { 41 | "url": "https://github.com/lirantal/detect-secrets/issues" 42 | }, 43 | "repository": { 44 | "type": "git", 45 | "url": "https://github.com/lirantal/detect-secrets.git" 46 | }, 47 | "dependencies": { 48 | "debug": "^4.3.3", 49 | "which": "^1.3.1" 50 | }, 51 | "devDependencies": { 52 | "@commitlint/cli": "^7.2.1", 53 | "@commitlint/config-conventional": "^7.1.2", 54 | "babel-eslint": "^10.0.1", 55 | "babel-plugin-syntax-async-functions": "^6.13.0", 56 | "babel-plugin-transform-regenerator": "^6.26.0", 57 | "babel-preset-env": "^1.6.1", 58 | "babel-preset-es2015": "^6.24.1", 59 | "commitizen": "^2.9.5", 60 | "cz-conventional-changelog": "^1.2.0", 61 | "docco": "^0.8.0", 62 | "doxdox": "^2.0.1", 63 | "eslint": "^5.10.0", 64 | "eslint-config-standard": "^12.0.0", 65 | "eslint-plugin-import": "^2.14.0", 66 | "eslint-plugin-jest": "^22.1.2", 67 | "eslint-plugin-node": "^8.0.0", 68 | "eslint-plugin-promise": "^4.0.1", 69 | "eslint-plugin-security": "^1.4.0", 70 | "eslint-plugin-standard": "^4.0.0", 71 | "husky": "^1.2.1", 72 | "jest": "23.6", 73 | "lint-staged": "^8.1.0", 74 | "opn-cli": "^3.1.0", 75 | "prettier-standard": "^8.0.1", 76 | "semantic-release": "^15.3.2" 77 | }, 78 | "jest": { 79 | "testEnvironment": "node", 80 | "verbose": true, 81 | "notify": true, 82 | "collectCoverage": true, 83 | "coverageThreshold": { 84 | "global": { 85 | "branches": 80, 86 | "functions": 80, 87 | "lines": 80, 88 | "statements": 80 89 | } 90 | }, 91 | "testPathIgnorePatterns": [ 92 | "/__tests__/.*/__fixtures__/.*" 93 | ], 94 | "collectCoverageFrom": [ 95 | "index.js", 96 | "src/**/*.{js,ts}" 97 | ], 98 | "testMatch": [ 99 | "**/*.test.js" 100 | ] 101 | }, 102 | "husky": { 103 | "hooks": { 104 | "commit-msg": "commitlint --env HUSKY_GIT_PARAMS", 105 | "pre-commit": "lint-staged", 106 | "post-merge": "npm install", 107 | "pre-push": "npm run lint && npm run test" 108 | } 109 | }, 110 | "lint-staged": { 111 | "linters": { 112 | "**/*.js": [ 113 | "prettier-standard", 114 | "git add" 115 | ] 116 | } 117 | }, 118 | "commitlint": { 119 | "extends": [ 120 | "@commitlint/config-conventional" 121 | ] 122 | }, 123 | "config": { 124 | "commitizen": { 125 | "path": "./node_modules/cz-conventional-changelog" 126 | } 127 | }, 128 | "standard": { 129 | "env": [ 130 | "jest" 131 | ], 132 | "parser": "babel-eslint", 133 | "ignore": [ 134 | "**/out/" 135 | ] 136 | }, 137 | "eslintIgnore": [ 138 | "coverage/**" 139 | ], 140 | "eslintConfig": { 141 | "env": { 142 | "node": true, 143 | "es6": true, 144 | "jest": true 145 | }, 146 | "plugins": [ 147 | "import", 148 | "standard", 149 | "node", 150 | "security", 151 | "jest" 152 | ], 153 | "extends": [ 154 | "standard", 155 | "plugin:node/recommended" 156 | ], 157 | "rules": { 158 | "no-process-exit": "warn", 159 | "jest/no-disabled-tests": "error", 160 | "jest/no-focused-tests": "error", 161 | "jest/no-identical-title": "error", 162 | "node/no-unsupported-features": "off", 163 | "node/no-unpublished-require": "off", 164 | "security/detect-non-literal-fs-filename": "error", 165 | "security/detect-unsafe-regex": "error", 166 | "security/detect-buffer-noassert": "error", 167 | "security/detect-child-process": "error", 168 | "security/detect-disable-mustache-escape": "error", 169 | "security/detect-eval-with-expression": "error", 170 | "security/detect-no-csrf-before-method-override": "error", 171 | "security/detect-non-literal-regexp": "error", 172 | "security/detect-object-injection": "warn", 173 | "security/detect-possible-timing-attacks": "error", 174 | "security/detect-pseudoRandomBytes": "error", 175 | "space-before-function-paren": "off", 176 | "object-curly-spacing": "off" 177 | }, 178 | "parserOptions": { 179 | "ecmaVersion": 8, 180 | "ecmaFeatures": { 181 | "impliedStrict": true 182 | } 183 | } 184 | }, 185 | "release": { 186 | "branch": "master", 187 | "analyzeCommits": { 188 | "preset": "angular", 189 | "releaseRules": [ 190 | { 191 | "type": "docs", 192 | "release": "patch" 193 | }, 194 | { 195 | "type": "refactor", 196 | "release": "patch" 197 | }, 198 | { 199 | "type": "style", 200 | "release": "patch" 201 | } 202 | ] 203 | } 204 | } 205 | } 206 | -------------------------------------------------------------------------------- /src/cli.js: -------------------------------------------------------------------------------- 1 | /* eslint-disable security/detect-child-process */ 2 | /* eslint-disable no-process-exit */ 3 | 'use strict' 4 | 5 | const {isExecutableAvailableInPath, executeStrategy} = require('../src/strategies') 6 | 7 | function start(executableStrategies) { 8 | let strategyExitCode = 0 9 | let strategiesInvoked = false 10 | executableStrategies.forEach(strategy => { 11 | const strategyExists = isExecutableAvailableInPath(strategy.filePath) 12 | if (strategyExists && !strategiesInvoked) { 13 | strategiesInvoked = true 14 | strategyExitCode = executeStrategy(strategy) 15 | } 16 | }) 17 | 18 | return { 19 | strategyExitCode, 20 | strategiesInvoked 21 | } 22 | } 23 | 24 | module.exports = { 25 | start 26 | } 27 | -------------------------------------------------------------------------------- /src/strategies.js: -------------------------------------------------------------------------------- 1 | /* eslint-disable security/detect-child-process */ 2 | /* eslint-disable no-process-exit */ 3 | 'use strict' 4 | 5 | const ChildProcess = require('child_process') 6 | const debug = require('debug')('detect-secrets') 7 | const which = require('which') 8 | 9 | function isExecutableAvailableInPath(executable) { 10 | debug(`checking if the executable ${executable} exists`) 11 | let resolved 12 | try { 13 | resolved = which.sync(executable) 14 | debug(`found executable ${executable} at: ${resolved}`) 15 | } catch (error) { 16 | debug(error) 17 | } 18 | 19 | if (!resolved) { 20 | return false 21 | } 22 | 23 | return true 24 | } 25 | 26 | function executeStrategy(strategy) { 27 | let hookCommandArguments = process.argv.slice(2) 28 | debug( 29 | `received ${hookCommandArguments.length} command arguments: ${JSON.stringify( 30 | hookCommandArguments 31 | )}` 32 | ) 33 | 34 | if (strategy.prefixCommandArguments && strategy.prefixCommandArguments.length > 0) { 35 | hookCommandArguments = strategy.prefixCommandArguments.concat(hookCommandArguments) 36 | } 37 | 38 | debug(`executing [${strategy.filePath}] with command arguments:`) 39 | debug(hookCommandArguments) 40 | 41 | const spawnResult = ChildProcess.spawnSync(strategy.filePath, hookCommandArguments, { 42 | shell: true 43 | }) 44 | 45 | debug(`exited with code: ${spawnResult.status}`) 46 | console.log(spawnResult.stdout.toString('utf-8')) 47 | console.error(spawnResult.stderr.toString('utf-8')) 48 | 49 | const stderr = spawnResult.stderr.toString('utf-8') 50 | const stringFound = stderr.match(/The baseline file was updated/g) 51 | if (stringFound) { 52 | // force a 0 status code as this isn't an actual error 53 | // ref: https://github.com/Yelp/detect-secrets/issues/212 54 | return 0 55 | } 56 | 57 | return spawnResult.status 58 | } 59 | 60 | module.exports = { 61 | isExecutableAvailableInPath, 62 | executeStrategy 63 | } 64 | --------------------------------------------------------------------------------