@netlify/build 33.2.1 → 33.4.0

package/lib/env/changes.d.ts

@@ -3,4 +3,5 @@ export function getNewEnvChanges(envBefore: any, netlifyConfig: any, netlifyConf
 };
 export function setEnvChanges(envChanges: any, currentEnv?: NodeJS.ProcessEnv): {
     [key: string]: string | undefined;
+    TZ?: string;
 };

package/lib/log/messages/core_steps.d.ts

@@ -15,8 +15,9 @@ export function logFunctionsToBundle({ logs, userFunctions, userFunctionsSrc, us
 }): void;
 export function logSecretsScanSkipMessage(logs: any, msg: any): void;
 export function logSecretsScanSuccessMessage(logs: any, msg: any): void;
-export function logSecretsScanFailBuildMessage({ logs, scanResults, groupedResults }: {
+export function logSecretsScanFailBuildMessage({ logs, scanResults, groupedResults, enhancedScanShouldRunInActiveMode, }: {
     logs: any;
     scanResults: any;
     groupedResults: any;
+    enhancedScanShouldRunInActiveMode: any;
 }): void;

package/lib/log/messages/core_steps.js

@@ -93,11 +93,11 @@ export const logSecretsScanSkipMessage = function (logs, msg) {
 export const logSecretsScanSuccessMessage = function (logs, msg) {
     log(logs, msg, { color: THEME.highlightWords });
 };
-export const logSecretsScanFailBuildMessage = function ({ logs, scanResults, groupedResults }) {
+export const logSecretsScanFailBuildMessage = function ({ logs, scanResults, groupedResults, enhancedScanShouldRunInActiveMode, }) {
     const { secretMatches, enhancedSecretMatches } = groupedResults;
     const secretMatchesKeys = Object.keys(secretMatches);
     const enhancedSecretMatchesKeys = Object.keys(enhancedSecretMatches);
-    logErrorSubHeader(logs, `Scanning complete. ${scanResults.scannedFilesCount} file(s) scanned. Secrets scanning found ${secretMatchesKeys.length} instance(s) of secrets${enhancedSecretMatchesKeys.length > 0 ? ` and ${enhancedSecretMatchesKeys.length} instance(s) of likely secrets` : ''} in build output or repo code.\n`);
+    logErrorSubHeader(logs, `Scanning complete. ${scanResults.scannedFilesCount} file(s) scanned. Secrets scanning found ${secretMatchesKeys.length} instance(s) of secrets${enhancedSecretMatchesKeys.length > 0 && enhancedScanShouldRunInActiveMode ? ` and ${enhancedSecretMatchesKeys.length} instance(s) of likely secrets` : ''} in build output or repo code.\n`);
     // Explicit secret matches
     secretMatchesKeys.forEach((key) => {
         logError(logs, `Secret env var "${key}"'s value detected:`);
@@ -113,20 +113,22 @@ export const logSecretsScanFailBuildMessage = function ({ logs, scanResults, gro
         logError(logs, `\nTo prevent exposing secrets, the build will fail until these secret values are not found in build output or repo files.`);
         logError(logs, `\nIf these are expected, use SECRETS_SCAN_OMIT_PATHS, SECRETS_SCAN_OMIT_KEYS, or SECRETS_SCAN_ENABLED to prevent detecting.`);
     }
-    // Likely secret matches from enhanced scan
-    enhancedSecretMatchesKeys.forEach((key, index) => {
-        logError(logs, `${index === 0 && secretMatchesKeys.length ? '\n' : ''}"${key}***" detected as a likely secret:`);
-        enhancedSecretMatches[key]
-            .sort((a, b) => {
-            return a.file > b.file ? 0 : 1;
-        })
-            .forEach(({ lineNumber, file }) => {
-            logError(logs, `found value at line ${lineNumber} in ${file}`, { indent: true });
+    if (enhancedScanShouldRunInActiveMode) {
+        // Likely secret matches from enhanced scan
+        enhancedSecretMatchesKeys.forEach((key, index) => {
+            logError(logs, `${index === 0 && secretMatchesKeys.length ? '\n' : ''}"${key}***" detected as a likely secret:`);
+            enhancedSecretMatches[key]
+                .sort((a, b) => {
+                return a.file > b.file ? 0 : 1;
+            })
+                .forEach(({ lineNumber, file }) => {
+                logError(logs, `found value at line ${lineNumber} in ${file}`, { indent: true });
+            });
         });
-    });
-    if (enhancedSecretMatchesKeys.length) {
-        logError(logs, `\nTo prevent exposing secrets, the build will fail until these likely secret values are not found in build output or repo files.`);
-        logError(logs, `\nIf these are expected, use ENHANCED_SECRETS_SCAN_OMIT_VALUES, or ENHANCED_SECRETS_SCAN_ENABLED to prevent detecting.`);
+        if (enhancedSecretMatchesKeys.length) {
+            logError(logs, `\nTo prevent exposing secrets, the build will fail until these likely secret values are not found in build output or repo files.`);
+            logError(logs, `\nIf these are expected, use SECRETS_SCAN_SMART_DETECTION_OMIT_VALUES, or SECRETS_SCAN_SMART_DETECTION_ENABLED to prevent detecting.`);
+        }
     }
     logError(logs, `\nFor more information on secrets scanning, see the Netlify Docs: https://ntl.fyi/configure-secrets-scanning`);
 };

package/lib/plugins_core/blobs_upload/index.js

@@ -40,8 +40,7 @@ const coreStep = async function ({ logs, deployId, buildDir, packagePath, consta
         await pMap(blobsToUpload, async ({ key, contentPath, metadataPath }) => {
             systemLog(`Uploading blob ${key}`);
             const { data, metadata } = await getFileWithMetadata(key, contentPath, metadataPath);
-            const arrayBuffer = data.buffer.slice(data.byteOffset, data.byteOffset + data.length);
-            await blobStore.set(key, arrayBuffer, { metadata });
+            await blobStore.set(key, new Blob([data]), { metadata });
         }, { concurrency: 10 });
     }
     catch (err) {

package/lib/plugins_core/dev_blobs_upload/index.js

@@ -47,8 +47,7 @@ const coreStep = async function ({ debug, logs, deployId, buildDir, quiet, packa
                 log(logs, `- Uploading blob ${key}`, { indent: true });
             }
             const { data, metadata } = await getFileWithMetadata(key, contentPath, metadataPath);
-            const arrayBuffer = data.buffer.slice(data.byteOffset, data.byteOffset + data.length);
-            await blobStore.set(key, arrayBuffer, { metadata });
+            await blobStore.set(key, new Blob([data]), { metadata });
         }, { concurrency: 10 });
     }
     catch (err) {

package/lib/plugins_core/secrets_scanning/index.js

@@ -5,10 +5,14 @@ import { logSecretsScanFailBuildMessage, logSecretsScanSkipMessage, logSecretsSc
 import { reportValidations } from '../../status/validations.js';
 import { getFilePathsToScan, getOmitValuesFromEnhancedScanForEnhancedScanFromEnv, getSecretKeysToScanFor, groupScanResultsByKeyAndScanType, isEnhancedSecretsScanningEnabled, isSecretsScanningEnabled, scanFilesForKeyValues, } from './utils.js';
 const tracer = trace.getTracer('secrets-scanning');
-const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecretKeys, enhancedSecretScan, systemLog, deployId, api, }) {
+const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecretKeys, enhancedSecretScan, featureFlags, systemLog, deployId, api, }) {
     const stepResults = {};
     const passedSecretKeys = (explicitSecretKeys || '').split(',');
     const envVars = netlifyConfig.build.environment;
+    // When the flag is disabled, we may still run the scan if a secrets scan would otherwise take place anyway
+    // In this case, we hide any output to the user and simply gather the information in our logs
+    const enhancedScanShouldRunInActiveMode = featureFlags?.enhanced_secret_scan_impacts_builds ?? false;
+    const useMinimalChunks = featureFlags?.secret_scanning_minimal_chunks;
     systemLog?.({ passedSecretKeys, buildDir });
     if (!isSecretsScanningEnabled(envVars)) {
         logSecretsScanSkipMessage(logs, 'Secrets scanning disabled via SECRETS_SCAN_ENABLED flag set to false.');
@@ -22,16 +26,21 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
         log(logs, `SECRETS_SCAN_OMIT_PATHS override option set to: ${envVars['SECRETS_SCAN_OMIT_PATHS']}\n`);
     }
     const enhancedScanningEnabledInEnv = isEnhancedSecretsScanningEnabled(envVars);
-    if (enhancedSecretScan && !enhancedScanningEnabledInEnv) {
-        logSecretsScanSkipMessage(logs, 'Enhanced secrets detection disabled via ENHANCED_SECRETS_SCAN_ENABLED flag set to false.');
+    const enhancedScanConfigured = enhancedSecretScan && enhancedScanningEnabledInEnv;
+    if (enhancedSecretScan && enhancedScanShouldRunInActiveMode && !enhancedScanningEnabledInEnv) {
+        logSecretsScanSkipMessage(logs, 'Enhanced secrets detection disabled via SECRETS_SCAN_SMART_DETECTION_ENABLED flag set to false.');
     }
-    if (enhancedSecretScan &&
-        enhancedScanningEnabledInEnv &&
-        envVars['ENHANCED_SECRETS_SCAN_OMIT_VALUES'] !== undefined) {
-        log(logs, `ENHANCED_SECRETS_SCAN_OMIT_VALUES override option set to: ${envVars['ENHANCED_SECRETS_SCAN_OMIT_VALUES']}\n`);
+    if (enhancedScanShouldRunInActiveMode &&
+        enhancedScanConfigured &&
+        envVars['SECRETS_SCAN_SMART_DETECTION_OMIT_VALUES'] !== undefined) {
+        log(logs, `SECRETS_SCAN_SMART_DETECTION_OMIT_VALUES override option set to: ${envVars['SECRETS_SCAN_SMART_DETECTION_OMIT_VALUES']}\n`);
     }
     const keysToSearchFor = getSecretKeysToScanFor(envVars, passedSecretKeys);
-    if (keysToSearchFor.length === 0 && !enhancedSecretScan) {
+    // In passive mode, only run the enhanced scan if we have explicit secret keys
+    const enhancedScanShouldRun = enhancedScanShouldRunInActiveMode
+        ? enhancedScanConfigured
+        : enhancedScanConfigured && keysToSearchFor.length > 0;
+    if (keysToSearchFor.length === 0 && !enhancedScanShouldRun) {
         logSecretsScanSkipMessage(logs, 'Secrets scanning skipped because no env vars marked as secret are set to non-empty/non-trivial values or they are all omitted with SECRETS_SCAN_OMIT_KEYS env var setting.');
         return stepResults;
     }
@@ -52,8 +61,9 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
             keys: keysToSearchFor,
             base: buildDir,
             filePaths,
-            enhancedScanning: enhancedSecretScan && enhancedScanningEnabledInEnv,
+            enhancedScanning: enhancedScanShouldRun,
             omitValuesFromEnhancedScan: getOmitValuesFromEnhancedScanForEnhancedScanFromEnv(envVars),
+            useMinimalChunks,
         });
         secretMatches = scanResults.matches.filter((match) => !match.enhancedMatch);
         enhancedSecretMatches = scanResults.matches.filter((match) => match.enhancedMatch);
@@ -65,7 +75,8 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
             secretsFilesCount: scanResults.scannedFilesCount,
             keysToSearchFor,
             enhancedPrefixMatches: enhancedSecretMatches.length ? enhancedSecretMatches.map((match) => match.key) : [],
-            enhancedScanning: enhancedSecretScan && enhancedScanningEnabledInEnv,
+            enhancedScanning: enhancedScanShouldRun,
+            enhancedScanActiveMode: enhancedScanShouldRunInActiveMode,
         };
         systemLog?.(attributesForLogsAndSpan);
         span.setAttributes(attributesForLogsAndSpan);
@@ -75,11 +86,13 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
         const secretScanResult = {
             scannedFilesCount: scanResults?.scannedFilesCount ?? 0,
             secretsScanMatches: secretMatches ?? [],
-            enhancedSecretsScanMatches: enhancedSecretMatches ?? [],
+            enhancedSecretsScanMatches: enhancedScanShouldRunInActiveMode && enhancedSecretMatches ? enhancedSecretMatches : [],
         };
         reportValidations({ api, secretScanResult, deployId, systemLog });
     }
-    if (!scanResults || scanResults.matches.length === 0) {
+    if (!scanResults ||
+        scanResults.matches.length === 0 ||
+        (!enhancedScanShouldRunInActiveMode && !secretMatches?.length)) {
         logSecretsScanSuccessMessage(logs, `Secrets scanning complete. ${scanResults?.scannedFilesCount} file(s) scanned. No secrets detected in build output or repo code!`);
         return stepResults;
     }
@@ -89,6 +102,7 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
         logs,
         scanResults,
         groupedResults: groupScanResultsByKeyAndScanType(scanResults),
+        enhancedScanShouldRunInActiveMode,
     });
     const error = new Error(`Secrets scanning found secrets in build.`);
     addErrorInfo(error, { type: 'secretScanningFoundSecrets' });

package/lib/plugins_core/secrets_scanning/utils.d.ts

@@ -9,6 +9,7 @@ interface ScanArgs {
     filePaths: string[];
     enhancedScanning?: boolean;
     omitValuesFromEnhancedScan?: unknown[];
+    useMinimalChunks: boolean;
 }
 interface MatchResult {
     lineNumber: number;
@@ -49,32 +50,34 @@ export declare function getOmitValuesFromEnhancedScanForEnhancedScanFromEnv(env:
  */
 export declare function getSecretKeysToScanFor(env: Record<string, unknown>, secretKeys: string[]): string[];
 /**
- * Checks a line of text for likely secrets based on known prefixes and patterns.
+ * Checks a chunk of text for likely secrets based on known prefixes and patterns.
  * The function works by:
- * 1. Splitting the line into tokens using quotes, whitespace, equals signs, colons, and commas as delimiters
+ * 1. Splitting the chunk into tokens using quotes, whitespace, equals signs, colons, and commas as delimiters
  * 2. For each token, checking if it matches our secret pattern:
  *    - Must start (^) with one of our known prefixes (e.g. aws_, github_pat_, etc)
  *    - Must be followed by at least MIN_CHARS_AFTER_PREFIX non-whitespace characters
  *    - Must extend to the end ($) of the token
  *
- * For example, given the line: secretKey='aws_123456789012345678'
+ * For example, given the chunk: secretKey='aws_123456789012345678'
  * 1. It's split into tokens: ['secretKey', 'aws_123456789012345678']
  * 2. Each token is checked against the regex pattern:
  *    - 'secretKey' doesn't match (doesn't start with a known prefix)
  *    - 'aws_123456789012345678' matches (starts with 'aws_' and has sufficient length)
  *
- * @param line The line of text to check
- * @param file The file path where this line was found
- * @param lineNumber The line number in the file
- * @param omitValuesFromEnhancedScan Optional array of values to exclude from matching
- * @returns Array of matches found in the line
  */
-export declare function findLikelySecrets({ line, file, lineNumber, omitValuesFromEnhancedScan, }: {
-    line: string;
-    file: string;
-    lineNumber: number;
+export declare function findLikelySecrets({ text, omitValuesFromEnhancedScan, }: {
+    /**
+     * Text to check
+     */
+    text: string;
+    /**
+     * Optional array of values to exclude from matching
+     */
     omitValuesFromEnhancedScan?: unknown[];
-}): MatchResult[];
+}): {
+    index: number;
+    prefix: string;
+}[];
 /**
  * Given the env and base directory, find all file paths to scan. It will look at the
  * env vars to decide if it should omit certain paths.
@@ -95,7 +98,7 @@ export declare function getFilePathsToScan({ env, base }: {
  * @param scanArgs {ScanArgs} scan options
  * @returns promise with all of the scan results, if any
  */
-export declare function scanFilesForKeyValues({ env, keys, filePaths, base, enhancedScanning, omitValuesFromEnhancedScan, }: ScanArgs): Promise<ScanResults>;
+export declare function scanFilesForKeyValues({ env, keys, filePaths, base, enhancedScanning, omitValuesFromEnhancedScan, useMinimalChunks, }: ScanArgs): Promise<ScanResults>;
 /**
  * ScanResults are all of the finds for all keys and their disparate locations. Scanning is
  * async in streams so order can change a lot. Some matches are the result of an env var explictly being marked as secret,

package/lib/plugins_core/secrets_scanning/utils.js

@@ -21,7 +21,7 @@ export function isSecretsScanningEnabled(env) {
  * @returns
  */
 export function isEnhancedSecretsScanningEnabled(env) {
-    if (env.ENHANCED_SECRETS_SCAN_ENABLED === false || env.ENHANCED_SECRETS_SCAN_ENABLED === 'false') {
+    if (env.SECRETS_SCAN_SMART_DETECTION_ENABLED === false || env.SECRETS_SCAN_SMART_DETECTION_ENABLED === 'false') {
         return false;
     }
     return true;
@@ -37,7 +37,7 @@ export function getStringArrayFromEnvValue(env, envVarName) {
     return omitKeys;
 }
 export function getOmitValuesFromEnhancedScanForEnhancedScanFromEnv(env) {
-    return getStringArrayFromEnvValue(env, 'ENHANCED_SECRETS_SCAN_OMIT_VALUES');
+    return getStringArrayFromEnvValue(env, 'SECRETS_SCAN_SMART_DETECTION_OMIT_VALUES');
 }
 function filterOmittedKeys(env, envKeys = []) {
     const omitKeys = getStringArrayFromEnvValue(env, 'SECRETS_SCAN_OMIT_KEYS');
@@ -84,61 +84,78 @@ export function getSecretKeysToScanFor(env, secretKeys) {
     const filteredSecretKeys = filterOmittedKeys(env, secretKeys);
     return filteredSecretKeys.filter((key) => !isValueTrivial(env[key]));
 }
+const getShannonEntropy = (str) => {
+    const len = str.length;
+    if (len === 0)
+        return 0;
+    const freqMap = {};
+    for (const char of str) {
+        freqMap[char] = (freqMap[char] || 0) + 1;
+    }
+    let entropy = 0;
+    for (const char in freqMap) {
+        const p = freqMap[char] / len;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+};
+const HIGH_ENTROPY_THRESHOLD = 4.5;
+const doesEntropyMeetThresholdForSecret = (str) => {
+    const entropy = getShannonEntropy(str);
+    return entropy >= HIGH_ENTROPY_THRESHOLD;
+};
 // Most prefixes are 4-5 chars, so requiring 12 chars after ensures a reasonable secret length
 const MIN_CHARS_AFTER_PREFIX = 12;
 // Escape special regex characters (like $, *, +, etc) in prefixes so they're treated as literal characters
 const prefixMatchingRegex = LIKELY_SECRET_PREFIXES.map((p) => p.replace(/[$*+?.()|[\]{}]/g, '\\$&')).join('|');
 // Build regex pattern for matching secrets with various delimiters and quotes:
-// (?:["'`]|^|[=:,]) - match either quotes, start of line, or delimiters (=:,) at the start
+// (?:["'\`]|[=]) - match either quotes, or = at the start
 // Named capturing groups:
 //   - <token>: captures the entire secret value including its prefix
 //   - <prefix>: captures just the prefix part (e.g. 'aws_', 'github_pat_')
 // (?:${prefixMatchingRegex}) - non-capturing group containing our escaped prefixes (e.g. aws_|github_pat_|etc)
-// [^ "'`=:,]{${MIN_CHARS_AFTER_PREFIX}} - match exactly MIN_CHARS_AFTER_PREFIX chars after the prefix
-// [^ "'`=:,]*? - lazily match any additional chars that aren't quotes/delimiters
-// (?:["'`]|[ =:,]|$) - end with either quotes, delimiters, whitespace, or end of line
+// [a-zA-Z0-9-]{${MIN_CHARS_AFTER_PREFIX}} - match exactly MIN_CHARS_AFTER_PREFIX chars (alphanumeric or dash) after the prefix
+// [a-zA-Z0-9-]*? - lazily match any additional chars (alphanumeric or dash)
+// (?:["'\`]|$) - end with either quotes or end of line
 // gi - global and case insensitive flags
 // Note: Using the global flag (g) means this regex object maintains state between executions.
 // We would need to reset lastIndex to 0 if we wanted to reuse it on the same string multiple times.
-const likelySecretRegex = new RegExp(`(?:["'\`]|^|[=:,]) *(?<token>(?<prefix>${prefixMatchingRegex})[^ "'\`=:,]{${MIN_CHARS_AFTER_PREFIX}}[^ "'\`=:,]*?)(?:["'\`]|[ =:,]|$)`, 'gi');
+const likelySecretRegex = new RegExp(`(?:["'\`]|[=]) *(?<token>(?<prefix>${prefixMatchingRegex})[a-zA-Z0-9-]{${MIN_CHARS_AFTER_PREFIX}}[a-zA-Z0-9-]*?)(?:["'\`]|$)`, 'gi');
 /**
- * Checks a line of text for likely secrets based on known prefixes and patterns.
+ * Checks a chunk of text for likely secrets based on known prefixes and patterns.
  * The function works by:
- * 1. Splitting the line into tokens using quotes, whitespace, equals signs, colons, and commas as delimiters
+ * 1. Splitting the chunk into tokens using quotes, whitespace, equals signs, colons, and commas as delimiters
  * 2. For each token, checking if it matches our secret pattern:
  *    - Must start (^) with one of our known prefixes (e.g. aws_, github_pat_, etc)
  *    - Must be followed by at least MIN_CHARS_AFTER_PREFIX non-whitespace characters
  *    - Must extend to the end ($) of the token
  *
- * For example, given the line: secretKey='aws_123456789012345678'
+ * For example, given the chunk: secretKey='aws_123456789012345678'
  * 1. It's split into tokens: ['secretKey', 'aws_123456789012345678']
  * 2. Each token is checked against the regex pattern:
  *    - 'secretKey' doesn't match (doesn't start with a known prefix)
  *    - 'aws_123456789012345678' matches (starts with 'aws_' and has sufficient length)
  *
- * @param line The line of text to check
- * @param file The file path where this line was found
- * @param lineNumber The line number in the file
- * @param omitValuesFromEnhancedScan Optional array of values to exclude from matching
- * @returns Array of matches found in the line
  */
-export function findLikelySecrets({ line, file, lineNumber, omitValuesFromEnhancedScan = [], }) {
-    if (!line)
+export function findLikelySecrets({ text, omitValuesFromEnhancedScan = [], }) {
+    if (!text)
         return [];
     const matches = [];
     let match;
     const allOmittedValues = [...omitValuesFromEnhancedScan, ...SAFE_LISTED_VALUES];
-    while ((match = likelySecretRegex.exec(line)) !== null) {
+    while ((match = likelySecretRegex.exec(text)) !== null) {
         const token = match.groups?.token;
         const prefix = match.groups?.prefix;
         if (!token || !prefix || allOmittedValues.includes(token)) {
             continue;
         }
+        // Despite the prefix, the string does not look random enough to be convinced it's a secret
+        if (!doesEntropyMeetThresholdForSecret(token)) {
+            continue;
+        }
         matches.push({
-            file,
-            lineNumber,
-            key: prefix,
-            enhancedMatch: true,
+            prefix,
+            index: match.index,
         });
     }
     return matches;
@@ -204,7 +221,7 @@ const omitPathMatches = (relativePath, omitPaths) => {
  * @param scanArgs {ScanArgs} scan options
  * @returns promise with all of the scan results, if any
  */
-export async function scanFilesForKeyValues({ env, keys, filePaths, base, enhancedScanning, omitValuesFromEnhancedScan = [], }) {
+export async function scanFilesForKeyValues({ env, keys, filePaths, base, enhancedScanning, omitValuesFromEnhancedScan = [], useMinimalChunks = false, }) {
     const scanResults = {
         matches: [],
         scannedFilesCount: 0,
@@ -225,6 +242,7 @@ export async function scanFilesForKeyValues({ env, keys, filePaths, base, enhanc
     }, {});
     scanResults.scannedFilesCount = filePaths.length;
     let settledPromises = [];
+    const searchStream = useMinimalChunks ? searchStreamMinimalChunks : searchStreamReadline;
     // process the scanning in batches to not run into memory issues by
     // processing all files at the same time.
     while (filePaths.length > 0) {
@@ -241,7 +259,10 @@ export async function scanFilesForKeyValues({ env, keys, filePaths, base, enhanc
     });
     return scanResults;
 }
-const searchStream = ({ basePath, file, keyValues, enhancedScanning, omitValuesFromEnhancedScan = [], }) => {
+/**
+ * Search stream implementation using node:readline
+ */
+const searchStreamReadline = ({ basePath, file, keyValues, enhancedScanning, omitValuesFromEnhancedScan = [], }) => {
     return new Promise((resolve, reject) => {
         const filePath = path.resolve(basePath, file);
         const inStream = createReadStream(filePath);
@@ -270,7 +291,12 @@ const searchStream = ({ basePath, file, keyValues, enhancedScanning, omitValuesF
             lineNumber++;
             if (typeof line === 'string') {
                 if (enhancedScanning) {
-                    matches.push(...findLikelySecrets({ line, file, lineNumber, omitValuesFromEnhancedScan }));
+                    matches.push(...findLikelySecrets({ text: line, omitValuesFromEnhancedScan }).map(({ prefix }) => ({
+                        key: prefix,
+                        file,
+                        lineNumber,
+                        enhancedMatch: true,
+                    })));
                 }
                 if (maxMultiLineCount > 1) {
                     lines.push(line);
@@ -352,6 +378,184 @@ const searchStream = ({ basePath, file, keyValues, enhancedScanning, omitValuesF
         });
     });
 };
+/**
+ * Search stream implementation using just read stream that allows to buffer less content
+ */
+const searchStreamMinimalChunks = ({ basePath, file, keyValues, enhancedScanning, omitValuesFromEnhancedScan = [], }) => {
+    return new Promise((resolve, reject) => {
+        const matches = [];
+        const keyVals = [].concat(...Object.values(keyValues));
+        // determine longest value that we will search for - needed to determine minimal size of rolling buffer
+        const maxValLength = Math.max(0, 
+        // explicit secrets
+        ...keyVals.map((v) => v.length), ...(enhancedScanning
+            ? [
+                // omitted likely secrets (after finding likely secret we check if it should be omitted, so we need to capture at least size of omitted values)
+                ...omitValuesFromEnhancedScan.map((v) => (typeof v === 'string' ? v.length : 0)),
+                // minimum length needed to find likely secret
+                ...LIKELY_SECRET_PREFIXES.map((v) => v.length + MIN_CHARS_AFTER_PREFIX),
+            ]
+            : []));
+        if (maxValLength === 0) {
+            // no non-empty values to scan for
+            resolve(matches);
+            return;
+        }
+        const filePath = path.resolve(basePath, file);
+        const inStream = createReadStream(filePath);
+        function getKeyForValue(val) {
+            let key = '';
+            for (const [secretKeyName, valuePermutations] of Object.entries(keyValues)) {
+                if (valuePermutations.includes(val)) {
+                    key = secretKeyName;
+                }
+            }
+            return key;
+        }
+        let buffer = '';
+        let newLinesIndexesInCurrentBuffer = null;
+        function getCurrentBufferNewLineIndexes() {
+            if (newLinesIndexesInCurrentBuffer === null) {
+                newLinesIndexesInCurrentBuffer = [];
+                let newLineIndex = -1;
+                while ((newLineIndex = buffer.indexOf('\n', newLineIndex + 1)) !== -1) {
+                    newLinesIndexesInCurrentBuffer.push(newLineIndex);
+                }
+            }
+            return newLinesIndexesInCurrentBuffer;
+        }
+        /**
+         * Amount of characters that were fully processed. Used to determine absolute position of current rolling buffer
+         * in the file.
+         */
+        let processedCharacters = 0;
+        /**
+         * Amount of lines that were fully processed. Used to determine absolute line number of matches in current rolling buffer.
+         */
+        let processedLines = 0;
+        /**
+         * Map keeping track of found secrets in current file. Used to prevent reporting same secret+position multiple times.
+         * Needed because rolling buffer might retain same secret in multiple passes.
+         */
+        const foundIndexes = new Map();
+        /**
+         * We report given secret at most once per line, so we keep track lines we already reported for given secret.
+         */
+        const foundLines = new Map();
+        /**
+         * Calculate absolute line number in a file for given match in the current rolling buffer.
+         */
+        function getLineNumberForMatchInTheBuffer({ indexInBuffer, key }) {
+            const absolutePositionInFile = processedCharacters + indexInBuffer;
+            // check if we already handled match for given key in this position
+            let foundIndexesForKey = foundIndexes.get(key);
+            if (!foundIndexesForKey?.has(absolutePositionInFile)) {
+                // ensure we track match for this key and position to not report it again in future passes
+                if (!foundIndexesForKey) {
+                    foundIndexesForKey = new Set();
+                    foundIndexes.set(key, foundIndexesForKey);
+                }
+                foundIndexesForKey.add(absolutePositionInFile);
+                // calculate line number based on amount of fully processed lines and position of line breaks in current buffer
+                let lineNumber = processedLines + 1;
+                for (const newLineIndex of getCurrentBufferNewLineIndexes()) {
+                    if (indexInBuffer > newLineIndex) {
+                        lineNumber++;
+                    }
+                    else {
+                        break;
+                    }
+                }
+                // check if we already handled match for given key in this line
+                let foundLinesForKey = foundLines.get(key);
+                if (!foundLinesForKey?.has(lineNumber)) {
+                    if (!foundLinesForKey) {
+                        foundLinesForKey = new Set();
+                        foundLines.set(key, foundLinesForKey);
+                    }
+                    foundLinesForKey.add(lineNumber);
+                    // only report line number if we didn't report it yet for this key
+                    return lineNumber;
+                }
+            }
+        }
+        function processBuffer() {
+            for (const valVariant of keyVals) {
+                let indexInBuffer = -1;
+                while ((indexInBuffer = buffer.indexOf(valVariant, indexInBuffer + 1)) !== -1) {
+                    const key = getKeyForValue(valVariant);
+                    const lineNumber = getLineNumberForMatchInTheBuffer({
+                        indexInBuffer,
+                        key,
+                    });
+                    if (typeof lineNumber === 'number') {
+                        matches.push({
+                            file,
+                            lineNumber,
+                            key,
+                            enhancedMatch: false,
+                        });
+                    }
+                }
+            }
+            if (enhancedScanning) {
+                const likelySecrets = findLikelySecrets({ text: buffer, omitValuesFromEnhancedScan });
+                for (const { index, prefix } of likelySecrets) {
+                    const lineNumber = getLineNumberForMatchInTheBuffer({
+                        indexInBuffer: index,
+                        key: prefix,
+                    });
+                    if (typeof lineNumber === 'number') {
+                        matches.push({
+                            file,
+                            lineNumber,
+                            key: prefix,
+                            enhancedMatch: true,
+                        });
+                    }
+                }
+            }
+        }
+        inStream.on('data', function (chunk) {
+            buffer += chunk.toString();
+            // reset new line positions in current buffer
+            newLinesIndexesInCurrentBuffer = null;
+            if (buffer.length > maxValLength) {
+                // only process if buffer is large enough to contain longest secret, if final chunk isn't large enough
+                // it will be processed in `close` event handler
+                processBuffer();
+                // we will keep maxValLength characters in the buffer, surplus of characters at this point is fully processed
+                const charactersInBufferThatWereFullyProcessed = buffer.length - maxValLength;
+                processedCharacters += charactersInBufferThatWereFullyProcessed;
+                // advance processed lines
+                for (const newLineIndex of getCurrentBufferNewLineIndexes()) {
+                    if (newLineIndex < charactersInBufferThatWereFullyProcessed) {
+                        processedLines++;
+                    }
+                    else {
+                        break;
+                    }
+                }
+                // Keep the last part of the buffer to handle split values across chunks
+                buffer = buffer.slice(charactersInBufferThatWereFullyProcessed);
+            }
+        });
+        inStream.on('error', function (error) {
+            if (error?.code === 'EISDIR') {
+                // file path is a directory - do nothing
+                resolve(matches);
+            }
+            else {
+                reject(error);
+            }
+        });
+        inStream.on('close', function () {
+            // process any remaining buffer content
+            processBuffer();
+            resolve(matches);
+        });
+    });
+};
 /**
  * ScanResults are all of the finds for all keys and their disparate locations. Scanning is
  * async in streams so order can change a lot. Some matches are the result of an env var explictly being marked as secret,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@netlify/build",
-  "version": "33.2.1",
+  "version": "33.4.0",
   "description": "Netlify build module",
   "type": "module",
   "exports": "./lib/index.js",
@@ -67,17 +67,17 @@
   "license": "MIT",
   "dependencies": {
     "@bugsnag/js": "^8.0.0",
-    "@netlify/blobs": "^8.2.0",
-    "@netlify/cache-utils": "^6.0.2",
-    "@netlify/config": "^23.0.7",
-    "@netlify/edge-bundler": "14.0.4",
+    "@netlify/blobs": "^9.1.3",
+    "@netlify/cache-utils": "^6.0.3",
+    "@netlify/config": "^23.0.8",
+    "@netlify/edge-bundler": "14.0.5",
     "@netlify/framework-info": "^10.0.4",
-    "@netlify/functions-utils": "^6.0.6",
-    "@netlify/git-utils": "^6.0.1",
-    "@netlify/opentelemetry-utils": "^2.0.0",
+    "@netlify/functions-utils": "^6.0.7",
+    "@netlify/git-utils": "^6.0.2",
+    "@netlify/opentelemetry-utils": "^2.0.1",
     "@netlify/plugins-list": "^6.80.0",
-    "@netlify/run-utils": "^6.0.1",
-    "@netlify/zip-it-and-ship-it": "12.1.0",
+    "@netlify/run-utils": "^6.0.2",
+    "@netlify/zip-it-and-ship-it": "12.1.1",
     "@sindresorhus/slugify": "^2.0.0",
     "ansi-escapes": "^7.0.0",
     "chalk": "^5.0.0",
@@ -86,7 +86,7 @@
     "fdir": "^6.0.1",
     "figures": "^6.0.0",
     "filter-obj": "^6.0.0",
-    "got": "^12.0.0",
+    "got": "^13.0.0",
     "hot-shots": "10.2.1",
     "indent-string": "^5.0.0",
     "is-plain-obj": "^4.0.0",
@@ -125,20 +125,20 @@
     "yargs": "^17.6.0"
   },
   "devDependencies": {
-    "@netlify/nock-udp": "^5.0.0",
+    "@netlify/nock-udp": "^5.0.1",
     "@opentelemetry/api": "~1.8.0",
     "@opentelemetry/sdk-trace-base": "~1.24.0",
-    "@types/node": "^14.18.53",
+    "@types/node": "^18.0.0",
     "atob": "^2.1.2",
     "ava": "^5.0.0",
     "c8": "^10.0.0",
     "copyfiles": "^2.4.1",
     "cpy": "^11.0.0",
-    "get-node": "^12.0.0",
+    "get-node": "^14.2.1",
     "get-port": "^7.0.0",
     "has-ansi": "^6.0.0",
     "moize": "^6.0.0",
-    "npm-run-all2": "^5.0.0",
+    "npm-run-all2": "^6.0.0",
     "process-exists": "^5.0.0",
     "sinon": "^20.0.0",
     "tmp-promise": "^3.0.2",
@@ -158,5 +158,5 @@
   "engines": {
     "node": ">=18.14.0"
   },
-  "gitHead": "f85f7e9a41f2c1698a320402d09072ee04f4dc6d"
+  "gitHead": "5289c05c1991824b24e3a8c38c8457bdc5534046"
 }