@netlify/build 33.1.5 → 33.2.1

package/lib/log/messages/core_steps.js

@@ -95,9 +95,11 @@ export const logSecretsScanSuccessMessage = function (logs, msg) {
 };
 export const logSecretsScanFailBuildMessage = function ({ logs, scanResults, groupedResults }) {
     const { secretMatches, enhancedSecretMatches } = groupedResults;
-    logErrorSubHeader(logs, `Scanning complete. ${scanResults.scannedFilesCount} file(s) scanned. Secrets scanning found ${scanResults.matches.length} instance(s) of secrets in build output or repo code.\n`);
+    const secretMatchesKeys = Object.keys(secretMatches);
+    const enhancedSecretMatchesKeys = Object.keys(enhancedSecretMatches);
+    logErrorSubHeader(logs, `Scanning complete. ${scanResults.scannedFilesCount} file(s) scanned. Secrets scanning found ${secretMatchesKeys.length} instance(s) of secrets${enhancedSecretMatchesKeys.length > 0 ? ` and ${enhancedSecretMatchesKeys.length} instance(s) of likely secrets` : ''} in build output or repo code.\n`);
     // Explicit secret matches
-    Object.keys(secretMatches).forEach((key) => {
+    secretMatchesKeys.forEach((key) => {
         logError(logs, `Secret env var "${key}"'s value detected:`);
         secretMatches[key]
             .sort((a, b) => {
@@ -107,9 +109,13 @@ export const logSecretsScanFailBuildMessage = function ({ logs, scanResults, gro
             logError(logs, `found value at line ${lineNumber} in ${file}`, { indent: true });
         });
     });
+    if (secretMatchesKeys.length) {
+        logError(logs, `\nTo prevent exposing secrets, the build will fail until these secret values are not found in build output or repo files.`);
+        logError(logs, `\nIf these are expected, use SECRETS_SCAN_OMIT_PATHS, SECRETS_SCAN_OMIT_KEYS, or SECRETS_SCAN_ENABLED to prevent detecting.`);
+    }
     // Likely secret matches from enhanced scan
-    Object.keys(enhancedSecretMatches).forEach((key) => {
-        logError(logs, `Env var "${key}"'s value detected as a likely secret value:`);
+    enhancedSecretMatchesKeys.forEach((key, index) => {
+        logError(logs, `${index === 0 && secretMatchesKeys.length ? '\n' : ''}"${key}***" detected as a likely secret:`);
         enhancedSecretMatches[key]
             .sort((a, b) => {
             return a.file > b.file ? 0 : 1;
@@ -118,7 +124,9 @@ export const logSecretsScanFailBuildMessage = function ({ logs, scanResults, gro
             logError(logs, `found value at line ${lineNumber} in ${file}`, { indent: true });
         });
     });
-    logError(logs, `\nTo prevent exposing secrets, the build will fail until these secret values are not found in build output or repo files.`);
-    logError(logs, `If these are expected, use SECRETS_SCAN_OMIT_PATHS, SECRETS_SCAN_OMIT_KEYS, or SECRETS_SCAN_ENABLED to prevent detecting.`);
-    logError(logs, `For more information on secrets scanning, see the Netlify Docs: https://ntl.fyi/configure-secrets-scanning`);
+    if (enhancedSecretMatchesKeys.length) {
+        logError(logs, `\nTo prevent exposing secrets, the build will fail until these likely secret values are not found in build output or repo files.`);
+        logError(logs, `\nIf these are expected, use ENHANCED_SECRETS_SCAN_OMIT_VALUES, or ENHANCED_SECRETS_SCAN_ENABLED to prevent detecting.`);
+    }
+    logError(logs, `\nFor more information on secrets scanning, see the Netlify Docs: https://ntl.fyi/configure-secrets-scanning`);
 };

package/lib/plugins_core/blobs_upload/index.js

@@ -1,7 +1,5 @@
-import { version as nodeVersion } from 'node:process';
 import { getDeployStore } from '@netlify/blobs';
 import pMap from 'p-map';
-import semver from 'semver';
 import { DEFAULT_API_HOST } from '../../core/normalize_flags.js';
 import { logError } from '../../log/logger.js';
 import { getFileWithMetadata, getKeysToUpload, scanForBlobs } from '../../utils/blobs.js';
@@ -19,11 +17,6 @@ const coreStep = async function ({ logs, deployId, buildDir, packagePath, consta
         token: NETLIFY_API_TOKEN,
         apiURL: `https://${apiHost}`,
     };
-    // If we don't have native `fetch` in the global scope, add a polyfill.
-    if (semver.lt(nodeVersion, '18.0.0')) {
-        const nodeFetch = (await import('node-fetch')).default;
-        storeOpts.fetch = nodeFetch;
-    }
     const blobs = await scanForBlobs(buildDir, packagePath);
     // We checked earlier, but let's be extra safe
     if (blobs === null) {

package/lib/plugins_core/dev_blobs_upload/index.js

@@ -1,7 +1,5 @@
-import { version as nodeVersion } from 'node:process';
 import { getDeployStore } from '@netlify/blobs';
 import pMap from 'p-map';
-import semver from 'semver';
 import { log, logError } from '../../log/logger.js';
 import { getFileWithMetadata, getKeysToUpload, scanForBlobs } from '../../utils/blobs.js';
 import { getBlobs } from '../../utils/frameworks_api.js';
@@ -18,11 +16,6 @@ const coreStep = async function ({ debug, logs, deployId, buildDir, quiet, packa
         token: NETLIFY_API_TOKEN,
         apiURL: `https://${apiHost}`,
     };
-    // If we don't have native `fetch` in the global scope, add a polyfill.
-    if (semver.lt(nodeVersion, '18.0.0')) {
-        const nodeFetch = (await import('node-fetch')).default;
-        storeOpts.fetch = nodeFetch;
-    }
     const blobs = await scanForBlobs(buildDir, packagePath);
     // We checked earlier, but let's be extra safe
     if (blobs === null) {

package/lib/plugins_core/secrets_scanning/index.js

@@ -3,7 +3,7 @@ import { addErrorInfo } from '../../error/info.js';
 import { log } from '../../log/logger.js';
 import { logSecretsScanFailBuildMessage, logSecretsScanSkipMessage, logSecretsScanSuccessMessage, } from '../../log/messages/core_steps.js';
 import { reportValidations } from '../../status/validations.js';
-import { getFilePathsToScan, getNonSecretKeysToScanFor, getSecretKeysToScanFor, groupScanResultsByKeyAndScanType, isSecretsScanningEnabled, scanFilesForKeyValues, } from './utils.js';
+import { getFilePathsToScan, getOmitValuesFromEnhancedScanForEnhancedScanFromEnv, getSecretKeysToScanFor, groupScanResultsByKeyAndScanType, isEnhancedSecretsScanningEnabled, isSecretsScanningEnabled, scanFilesForKeyValues, } from './utils.js';
 const tracer = trace.getTracer('secrets-scanning');
 const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecretKeys, enhancedSecretScan, systemLog, deployId, api, }) {
     const stepResults = {};
@@ -21,14 +21,18 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
     if (envVars['SECRETS_SCAN_OMIT_PATHS'] !== undefined) {
         log(logs, `SECRETS_SCAN_OMIT_PATHS override option set to: ${envVars['SECRETS_SCAN_OMIT_PATHS']}\n`);
     }
-    const explicitSecretKeysToScanFor = getSecretKeysToScanFor(envVars, passedSecretKeys);
-    const potentialSecretKeysToScanFor = enhancedSecretScan ? getNonSecretKeysToScanFor(envVars, passedSecretKeys) : [];
-    const keysToSearchFor = explicitSecretKeysToScanFor.concat(potentialSecretKeysToScanFor);
-    if (keysToSearchFor.length === 0) {
-        const msg = enhancedSecretScan
-            ? 'Secrets scanning skipped because no env vars are set to non-empty/non-trivial values or they are all omitted with SECRETS_SCAN_OMIT_KEYS env var setting.'
-            : 'Secrets scanning skipped because no env vars marked as secret are set to non-empty/non-trivial values or they are all omitted with SECRETS_SCAN_OMIT_KEYS env var setting.';
-        logSecretsScanSkipMessage(logs, msg);
+    const enhancedScanningEnabledInEnv = isEnhancedSecretsScanningEnabled(envVars);
+    if (enhancedSecretScan && !enhancedScanningEnabledInEnv) {
+        logSecretsScanSkipMessage(logs, 'Enhanced secrets detection disabled via ENHANCED_SECRETS_SCAN_ENABLED flag set to false.');
+    }
+    if (enhancedSecretScan &&
+        enhancedScanningEnabledInEnv &&
+        envVars['ENHANCED_SECRETS_SCAN_OMIT_VALUES'] !== undefined) {
+        log(logs, `ENHANCED_SECRETS_SCAN_OMIT_VALUES override option set to: ${envVars['ENHANCED_SECRETS_SCAN_OMIT_VALUES']}\n`);
+    }
+    const keysToSearchFor = getSecretKeysToScanFor(envVars, passedSecretKeys);
+    if (keysToSearchFor.length === 0 && !enhancedSecretScan) {
+        logSecretsScanSkipMessage(logs, 'Secrets scanning skipped because no env vars marked as secret are set to non-empty/non-trivial values or they are all omitted with SECRETS_SCAN_OMIT_KEYS env var setting.');
         return stepResults;
     }
     // buildDir is the repository root or the base folder
@@ -48,9 +52,11 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
             keys: keysToSearchFor,
             base: buildDir,
             filePaths,
+            enhancedScanning: enhancedSecretScan && enhancedScanningEnabledInEnv,
+            omitValuesFromEnhancedScan: getOmitValuesFromEnhancedScanForEnhancedScanFromEnv(envVars),
         });
-        secretMatches = scanResults.matches.filter((match) => explicitSecretKeysToScanFor.includes(match.key));
-        enhancedSecretMatches = scanResults.matches.filter((match) => potentialSecretKeysToScanFor.includes(match.key));
+        secretMatches = scanResults.matches.filter((match) => !match.enhancedMatch);
+        enhancedSecretMatches = scanResults.matches.filter((match) => match.enhancedMatch);
         const attributesForLogsAndSpan = {
             secretsScanFoundSecrets: secretMatches.length > 0,
             enhancedSecretsScanFoundSecrets: enhancedSecretMatches.length > 0,
@@ -58,6 +64,8 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
             enhancedSecretsScanMatchesCount: enhancedSecretMatches.length,
             secretsFilesCount: scanResults.scannedFilesCount,
             keysToSearchFor,
+            enhancedPrefixMatches: enhancedSecretMatches.length ? enhancedSecretMatches.map((match) => match.key) : [],
+            enhancedScanning: enhancedSecretScan && enhancedScanningEnabledInEnv,
         };
         systemLog?.(attributesForLogsAndSpan);
         span.setAttributes(attributesForLogsAndSpan);
@@ -80,7 +88,7 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
     logSecretsScanFailBuildMessage({
         logs,
         scanResults,
-        groupedResults: groupScanResultsByKeyAndScanType(scanResults, potentialSecretKeysToScanFor),
+        groupedResults: groupScanResultsByKeyAndScanType(scanResults),
     });
     const error = new Error(`Secrets scanning found secrets in build.`);
     addErrorInfo(error, { type: 'secretScanningFoundSecrets' });

package/lib/plugins_core/secrets_scanning/secret_prefixes.d.ts

@@ -3,3 +3,7 @@
  * Note: string comparison is case-insensitive so we use all lowercase here.
  */
 export declare const LIKELY_SECRET_PREFIXES: string[];
+/**
+ * Known values that we do not want to trigger secret detection failures (e.g. common to framework build output)
+ */
+export declare const SAFE_LISTED_VALUES: string[];

package/lib/plugins_core/secrets_scanning/secret_prefixes.js

@@ -10,7 +10,6 @@ const GITHUB_PREFIXES = ['ghp_', 'gho_', 'ghu_', 'ghs_', 'ghr_', 'github_pat_'];
 const SHOPIFY_PREFIXES = ['shpss_', 'shpat_', 'shpca_', 'shppa_'];
 const SQUARE_PREFIXES = ['sq0atp-'];
 const OTHER_COMMON_PREFIXES = [
-    'pk_',
     'sk_',
     'pat_',
     'sk-',
@@ -33,3 +32,7 @@ export const LIKELY_SECRET_PREFIXES = [
     ...SQUARE_PREFIXES,
     ...OTHER_COMMON_PREFIXES,
 ];
+/**
+ * Known values that we do not want to trigger secret detection failures (e.g. common to framework build output)
+ */
+export const SAFE_LISTED_VALUES = ['SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED']; // Common to code using React PropTypes

package/lib/plugins_core/secrets_scanning/utils.d.ts

@@ -7,11 +7,14 @@ interface ScanArgs {
     keys: string[];
     base: string;
     filePaths: string[];
+    enhancedScanning?: boolean;
+    omitValuesFromEnhancedScan?: unknown[];
 }
 interface MatchResult {
     lineNumber: number;
     key: string;
     file: string;
+    enhancedMatch: boolean;
 }
 export type SecretScanResult = {
     scannedFilesCount: number;
@@ -24,6 +27,14 @@ export type SecretScanResult = {
  * @returns
  */
 export declare function isSecretsScanningEnabled(env: Record<string, unknown>): boolean;
+/**
+ * Determine if the user disabled enhanced scanning via env var
+ * @param env current envars
+ * @returns
+ */
+export declare function isEnhancedSecretsScanningEnabled(env: Record<string, unknown>): boolean;
+export declare function getStringArrayFromEnvValue(env: Record<string, unknown>, envVarName: string): string[];
+export declare function getOmitValuesFromEnhancedScanForEnhancedScanFromEnv(env: Record<string, unknown>): unknown[];
 /**
  * given the explicit secret keys and env vars, return the list of secret keys which have non-empty or non-trivial values. This
  * will also filter out keys passed in the SECRETS_SCAN_OMIT_KEYS env var.
@@ -38,15 +49,32 @@ export declare function isSecretsScanningEnabled(env: Record<string, unknown>):
  */
 export declare function getSecretKeysToScanFor(env: Record<string, unknown>, secretKeys: string[]): string[];
 /**
- * given the explicit secret keys and env vars, return the list of non-secret keys which should be scanned in the enhanced secret scan
- * (i.e. any that look very likely to be secrets).
- * This will also filter out keys passed in the SECRETS_SCAN_OMIT_KEYS env var.
+ * Checks a line of text for likely secrets based on known prefixes and patterns.
+ * The function works by:
+ * 1. Splitting the line into tokens using quotes, whitespace, equals signs, colons, and commas as delimiters
+ * 2. For each token, checking if it matches our secret pattern:
+ *    - Must start (^) with one of our known prefixes (e.g. aws_, github_pat_, etc)
+ *    - Must be followed by at least MIN_CHARS_AFTER_PREFIX non-whitespace characters
+ *    - Must extend to the end ($) of the token
  *
- * @param env env vars list
- * @param secretKeys
- * @returns string[]
+ * For example, given the line: secretKey='aws_123456789012345678'
+ * 1. It's split into tokens: ['secretKey', 'aws_123456789012345678']
+ * 2. Each token is checked against the regex pattern:
+ *    - 'secretKey' doesn't match (doesn't start with a known prefix)
+ *    - 'aws_123456789012345678' matches (starts with 'aws_' and has sufficient length)
+ *
+ * @param line The line of text to check
+ * @param file The file path where this line was found
+ * @param lineNumber The line number in the file
+ * @param omitValuesFromEnhancedScan Optional array of values to exclude from matching
+ * @returns Array of matches found in the line
  */
-export declare function getNonSecretKeysToScanFor(env: Record<string, unknown>, secretKeys: string[]): string[];
+export declare function findLikelySecrets({ line, file, lineNumber, omitValuesFromEnhancedScan, }: {
+    line: string;
+    file: string;
+    lineNumber: number;
+    omitValuesFromEnhancedScan?: unknown[];
+}): MatchResult[];
 /**
  * Given the env and base directory, find all file paths to scan. It will look at the
  * env vars to decide if it should omit certain paths.
@@ -67,7 +95,7 @@ export declare function getFilePathsToScan({ env, base }: {
  * @param scanArgs {ScanArgs} scan options
  * @returns promise with all of the scan results, if any
  */
-export declare function scanFilesForKeyValues({ env, keys, filePaths, base }: ScanArgs): Promise<ScanResults>;
+export declare function scanFilesForKeyValues({ env, keys, filePaths, base, enhancedScanning, omitValuesFromEnhancedScan, }: ScanArgs): Promise<ScanResults>;
 /**
  * ScanResults are all of the finds for all keys and their disparate locations. Scanning is
  * async in streams so order can change a lot. Some matches are the result of an env var explictly being marked as secret,
@@ -79,7 +107,7 @@ export declare function scanFilesForKeyValues({ env, keys, filePaths, base }: Sc
  * @param scanResults
  * @returns
  */
-export declare function groupScanResultsByKeyAndScanType(scanResults: ScanResults, enhancedScanKeys?: string[]): {
+export declare function groupScanResultsByKeyAndScanType(scanResults: ScanResults): {
     secretMatches: {
         [key: string]: MatchResult[];
     };

package/lib/plugins_core/secrets_scanning/utils.js

@@ -3,7 +3,7 @@ import path from 'node:path';
 import { createInterface } from 'node:readline';
 import { fdir } from 'fdir';
 import { minimatch } from 'minimatch';
-import { LIKELY_SECRET_PREFIXES } from './secret_prefixes.js';
+import { LIKELY_SECRET_PREFIXES, SAFE_LISTED_VALUES } from './secret_prefixes.js';
 /**
  * Determine if the user disabled scanning via env var
  * @param env current envars
@@ -15,13 +15,32 @@ export function isSecretsScanningEnabled(env) {
     }
     return true;
 }
-function filterOmittedKeys(env, envKeys = []) {
-    if (typeof env.SECRETS_SCAN_OMIT_KEYS !== 'string') {
-        return envKeys;
+/**
+ * Determine if the user disabled enhanced scanning via env var
+ * @param env current envars
+ * @returns
+ */
+export function isEnhancedSecretsScanningEnabled(env) {
+    if (env.ENHANCED_SECRETS_SCAN_ENABLED === false || env.ENHANCED_SECRETS_SCAN_ENABLED === 'false') {
+        return false;
     }
-    const omitKeys = env.SECRETS_SCAN_OMIT_KEYS.split(',')
+    return true;
+}
+export function getStringArrayFromEnvValue(env, envVarName) {
+    if (typeof env[envVarName] !== 'string') {
+        return [];
+    }
+    const omitKeys = env[envVarName]
+        .split(',')
         .map((s) => s.trim())
         .filter(Boolean);
+    return omitKeys;
+}
+export function getOmitValuesFromEnhancedScanForEnhancedScanFromEnv(env) {
+    return getStringArrayFromEnvValue(env, 'ENHANCED_SECRETS_SCAN_OMIT_VALUES');
+}
+function filterOmittedKeys(env, envKeys = []) {
+    const omitKeys = getStringArrayFromEnvValue(env, 'SECRETS_SCAN_OMIT_KEYS');
     return envKeys.filter((key) => !omitKeys.includes(key));
 }
 /**
@@ -65,46 +84,64 @@ export function getSecretKeysToScanFor(env, secretKeys) {
     const filteredSecretKeys = filterOmittedKeys(env, secretKeys);
     return filteredSecretKeys.filter((key) => !isValueTrivial(env[key]));
 }
+// Most prefixes are 4-5 chars, so requiring 12 chars after ensures a reasonable secret length
+const MIN_CHARS_AFTER_PREFIX = 12;
+// Escape special regex characters (like $, *, +, etc) in prefixes so they're treated as literal characters
+const prefixMatchingRegex = LIKELY_SECRET_PREFIXES.map((p) => p.replace(/[$*+?.()|[\]{}]/g, '\\$&')).join('|');
+// Build regex pattern for matching secrets with various delimiters and quotes:
+// (?:["'`]|^|[=:,]) - match either quotes, start of line, or delimiters (=:,) at the start
+// Named capturing groups:
+//   - <token>: captures the entire secret value including its prefix
+//   - <prefix>: captures just the prefix part (e.g. 'aws_', 'github_pat_')
+// (?:${prefixMatchingRegex}) - non-capturing group containing our escaped prefixes (e.g. aws_|github_pat_|etc)
+// [^ "'`=:,]{${MIN_CHARS_AFTER_PREFIX}} - match exactly MIN_CHARS_AFTER_PREFIX chars after the prefix
+// [^ "'`=:,]*? - lazily match any additional chars that aren't quotes/delimiters
+// (?:["'`]|[ =:,]|$) - end with either quotes, delimiters, whitespace, or end of line
+// gi - global and case insensitive flags
+// Note: Using the global flag (g) means this regex object maintains state between executions.
+// We would need to reset lastIndex to 0 if we wanted to reuse it on the same string multiple times.
+const likelySecretRegex = new RegExp(`(?:["'\`]|^|[=:,]) *(?<token>(?<prefix>${prefixMatchingRegex})[^ "'\`=:,]{${MIN_CHARS_AFTER_PREFIX}}[^ "'\`=:,]*?)(?:["'\`]|[ =:,]|$)`, 'gi');
 /**
- * given the explicit secret keys and env vars, return the list of non-secret keys which should be scanned in the enhanced secret scan
- * (i.e. any that look very likely to be secrets).
- * This will also filter out keys passed in the SECRETS_SCAN_OMIT_KEYS env var.
+ * Checks a line of text for likely secrets based on known prefixes and patterns.
+ * The function works by:
+ * 1. Splitting the line into tokens using quotes, whitespace, equals signs, colons, and commas as delimiters
+ * 2. For each token, checking if it matches our secret pattern:
+ *    - Must start (^) with one of our known prefixes (e.g. aws_, github_pat_, etc)
+ *    - Must be followed by at least MIN_CHARS_AFTER_PREFIX non-whitespace characters
+ *    - Must extend to the end ($) of the token
  *
- * @param env env vars list
- * @param secretKeys
- * @returns string[]
- */
-export function getNonSecretKeysToScanFor(env, secretKeys) {
-    const nonSecretKeys = Object.keys(env).filter((key) => !secretKeys.includes(key));
-    const filteredNonSecretKeys = filterOmittedKeys(env, nonSecretKeys);
-    const nonSecretKeysToScanFor = filteredNonSecretKeys.filter((key) => {
-        const val = env[key];
-        if (isValueTrivial(val)) {
-            return false;
-        }
-        return isLikelySecretValue(val);
-    });
-    return nonSecretKeysToScanFor;
-}
-const LIKELY_SECRET_MIN_LENGTH = 16;
-/**
- * When the enhanced secret scan is run, we check any env vars _not_ marked as secret if they are highly likely to be secret values.
- * For now, this means the value is a string of at least 16 chars and starts with one of the known prefixes.
+ * For example, given the line: secretKey='aws_123456789012345678'
+ * 1. It's split into tokens: ['secretKey', 'aws_123456789012345678']
+ * 2. Each token is checked against the regex pattern:
+ *    - 'secretKey' doesn't match (doesn't start with a known prefix)
+ *    - 'aws_123456789012345678' matches (starts with 'aws_' and has sufficient length)
  *
- * @param val env var value
- * @returns boolean
+ * @param line The line of text to check
+ * @param file The file path where this line was found
+ * @param lineNumber The line number in the file
+ * @param omitValuesFromEnhancedScan Optional array of values to exclude from matching
+ * @returns Array of matches found in the line
  */
-function isLikelySecretValue(val) {
-    if (typeof val !== 'string') {
-        return false;
-    }
-    if (val.length < LIKELY_SECRET_MIN_LENGTH) {
-        return false;
-    }
-    if (LIKELY_SECRET_PREFIXES.some((prefix) => val.toLowerCase().startsWith(prefix))) {
-        return true;
+export function findLikelySecrets({ line, file, lineNumber, omitValuesFromEnhancedScan = [], }) {
+    if (!line)
+        return [];
+    const matches = [];
+    let match;
+    const allOmittedValues = [...omitValuesFromEnhancedScan, ...SAFE_LISTED_VALUES];
+    while ((match = likelySecretRegex.exec(line)) !== null) {
+        const token = match.groups?.token;
+        const prefix = match.groups?.prefix;
+        if (!token || !prefix || allOmittedValues.includes(token)) {
+            continue;
+        }
+        matches.push({
+            file,
+            lineNumber,
+            key: prefix,
+            enhancedMatch: true,
+        });
     }
-    return false;
+    return matches;
 }
 /**
  * Given the env and base directory, find all file paths to scan. It will look at the
@@ -167,7 +204,7 @@ const omitPathMatches = (relativePath, omitPaths) => {
  * @param scanArgs {ScanArgs} scan options
  * @returns promise with all of the scan results, if any
  */
-export async function scanFilesForKeyValues({ env, keys, filePaths, base }) {
+export async function scanFilesForKeyValues({ env, keys, filePaths, base, enhancedScanning, omitValuesFromEnhancedScan = [], }) {
     const scanResults = {
         matches: [],
         scannedFilesCount: 0,
@@ -194,7 +231,7 @@ export async function scanFilesForKeyValues({ env, keys, filePaths, base }) {
         const chunkSize = 200;
         const batch = filePaths.splice(0, chunkSize);
         settledPromises = settledPromises.concat(await Promise.allSettled(batch.map((file) => {
-            return searchStream(base, file, keyValues);
+            return searchStream({ basePath: base, file, keyValues, enhancedScanning, omitValuesFromEnhancedScan });
         })));
     }
     settledPromises.forEach((result) => {
@@ -204,7 +241,7 @@ export async function scanFilesForKeyValues({ env, keys, filePaths, base }) {
     });
     return scanResults;
 }
-const searchStream = (basePath, file, keyValues) => {
+const searchStream = ({ basePath, file, keyValues, enhancedScanning, omitValuesFromEnhancedScan = [], }) => {
     return new Promise((resolve, reject) => {
         const filePath = path.resolve(basePath, file);
         const inStream = createReadStream(filePath);
@@ -232,6 +269,9 @@ const searchStream = (basePath, file, keyValues) => {
             // and match what an IDE would show for a line number.
             lineNumber++;
             if (typeof line === 'string') {
+                if (enhancedScanning) {
+                    matches.push(...findLikelySecrets({ line, file, lineNumber, omitValuesFromEnhancedScan }));
+                }
                 if (maxMultiLineCount > 1) {
                     lines.push(line);
                 }
@@ -247,6 +287,7 @@ const searchStream = (basePath, file, keyValues) => {
                             file,
                             lineNumber,
                             key: getKeyForValue(valVariant),
+                            enhancedMatch: false,
                         });
                         return;
                     }
@@ -289,6 +330,7 @@ const searchStream = (basePath, file, keyValues) => {
                                 file,
                                 lineNumber: lineNumber - lines.length + 1,
                                 key: getKeyForValue(valVariant),
+                                enhancedMatch: false,
                             });
                             return;
                         }
@@ -321,12 +363,11 @@ const searchStream = (basePath, file, keyValues) => {
  * @param scanResults
  * @returns
  */
-export function groupScanResultsByKeyAndScanType(scanResults, enhancedScanKeys = []) {
+export function groupScanResultsByKeyAndScanType(scanResults) {
     const secretMatchesByKeys = {};
     const enhancedSecretMatchesByKeys = {};
     scanResults.matches.forEach((matchResult) => {
-        const isEnhancedCheck = enhancedScanKeys.includes(matchResult.key);
-        if (isEnhancedCheck) {
+        if (matchResult.enhancedMatch) {
             if (!enhancedSecretMatchesByKeys[matchResult.key]) {
                 enhancedSecretMatchesByKeys[matchResult.key] = [];
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@netlify/build",
-  "version": "33.1.5",
+  "version": "33.2.1",
   "description": "Netlify build module",
   "type": "module",
   "exports": "./lib/index.js",
@@ -69,7 +69,7 @@
     "@bugsnag/js": "^8.0.0",
     "@netlify/blobs": "^8.2.0",
     "@netlify/cache-utils": "^6.0.2",
-    "@netlify/config": "^23.0.5",
+    "@netlify/config": "^23.0.7",
     "@netlify/edge-bundler": "14.0.4",
     "@netlify/framework-info": "^10.0.4",
     "@netlify/functions-utils": "^6.0.6",
@@ -97,7 +97,6 @@
     "map-obj": "^5.0.0",
     "memoize-one": "^6.0.0",
     "minimatch": "^9.0.4",
-    "node-fetch": "^3.3.2",
     "os-name": "^6.0.0",
     "p-event": "^6.0.0",
     "p-every": "^2.0.0",
@@ -159,5 +158,5 @@
   "engines": {
     "node": ">=18.14.0"
   },
-  "gitHead": "8a025075c2e37587bb8e8f91910fd3cbb94b07bf"
+  "gitHead": "f85f7e9a41f2c1698a320402d09072ee04f4dc6d"
 }