@open_harness/secretlens 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +77 -0
  2. package/bin/secretlens.js +45 -0
  3. package/package.json +30 -0
package/README.md ADDED
@@ -0,0 +1,77 @@
1
+ # @open_harness/secretlens
2
+
3
+ Secret and credential detector for any codebase. Scans source files for hardcoded AWS keys, GitHub tokens, PEM private keys, JWTs, and generic credential assignments. Single native binary, zero runtime dependencies, works in any language ecosystem.
4
+
5
+ Part of the [open-harness](https://github.com/artiko00/open-harness) monorepo.
6
+
7
+ ## Install
8
+
9
+ ```bash
10
+ npm install --save-dev @open_harness/secretlens
11
+ ```
12
+
13
+ The right native binary for your platform (Linux x64, macOS arm64, macOS x64, Windows x64) is downloaded automatically via `optionalDependencies`.
14
+
15
+ ## Usage
16
+
17
+ ```bash
18
+ npx secretlens check # scan current directory
19
+ npx secretlens check --fail # exit 1 if secrets found (git hooks / CI)
20
+ npx secretlens check --dir ./src # scan a specific directory
21
+ npx secretlens check --no-color # plain output for logs
22
+ npx secretlens init # generate a default secretlens.json
23
+ npx secretlens version # print version
24
+ ```
25
+
26
+ ## Built-in patterns
27
+
28
+ | Pattern | Severity |
29
+ |---|---|
30
+ | AWS Access Key ID (`AKIA…`) | critical |
31
+ | AWS Secret Access Key | critical |
32
+ | GitHub Personal Access Token (`ghp_…`) | critical |
33
+ | GitHub Fine-Grained Token (`github_pat_…`) | critical |
34
+ | PEM Private Key (`-----BEGIN … PRIVATE KEY`) | critical |
35
+ | JWT Token | high |
36
+ | Generic `secret/password/api_key` assignment | high |
37
+ | Generic `token/bearer` assignment | medium |
38
+
39
+ ## Configuration
40
+
41
+ Place a `secretlens.json` at the repo root:
42
+
43
+ ```json
44
+ {
45
+ "patterns": [],
46
+ "allowlist": ["example", "placeholder", "your_key_here", "changeme"],
47
+ "exclude": ["node_modules", "vendor", ".git", "dist"]
48
+ }
49
+ ```
50
+
51
+ - `patterns: []` uses the 8 built-in patterns. Override the array to add custom regexes.
52
+ - `allowlist` skips any line containing the listed strings (case-insensitive) — useful to suppress false positives in docs or examples.
53
+ - `exclude` skips matching directories entirely.
54
+
55
+ ## Husky / lefthook / CI integration
56
+
57
+ ```bash
58
+ # .husky/pre-commit
59
+ npx secretlens check --fail
60
+ ```
61
+
62
+ ```yaml
63
+ # .github/workflows/security.yml
64
+ - name: Scan for hardcoded secrets
65
+ run: npx @open_harness/secretlens check --fail
66
+ ```
67
+
68
+ ## Exit codes
69
+
70
+ | Code | Meaning |
71
+ |---|---|
72
+ | `0` | No secrets detected (or `--fail` not passed) |
73
+ | `1` | Secrets found and `--fail` was passed, or config error |
74
+
75
+ ## License
76
+
77
+ MIT — see the [main repository](https://github.com/artiko00/open-harness).
package/bin/secretlens.js ADDED
@@ -0,0 +1,45 @@
1
+ #!/usr/bin/env node
2
+ 'use strict';
3
+
4
+ const { execFileSync } = require('child_process');
5
+ const path = require('path');
6
+ const os = require('os');
7
+
8
+ const PLATFORMS = {
9
+ 'linux-x64': '@open_harness/secretlens-linux-x64',
10
+ 'darwin-arm64': '@open_harness/secretlens-darwin-arm64',
11
+ 'darwin-x64': '@open_harness/secretlens-darwin-x64',
12
+ 'win32-x64': '@open_harness/secretlens-win32-x64',
13
+ };
14
+
15
+ function getBinaryPath() {
16
+ const platform = `${os.platform()}-${os.arch()}`;
17
+ const pkg = PLATFORMS[platform];
18
+
19
+ if (!pkg) {
20
+ throw new Error(`secretlens: plataforma no soportada: ${platform}`);
21
+ }
22
+
23
+ try {
24
+ const pkgDir = path.dirname(require.resolve(`${pkg}/package.json`));
25
+ const ext = os.platform() === 'win32' ? '.exe' : '';
26
+ return path.join(pkgDir, 'bin', `secretlens${ext}`);
27
+ } catch {
28
+ throw new Error(
29
+ `secretlens: paquete de plataforma "${pkg}" no instalado.\n` +
30
+ `Intenta: npm install --save-dev @open_harness/secretlens`
31
+ );
32
+ }
33
+ }
34
+
35
+ try {
36
+ const bin = getBinaryPath();
37
+ const args = process.argv.slice(2);
38
+ execFileSync(bin, args, { stdio: 'inherit' });
39
+ } catch (err) {
40
+ if (err.status !== undefined) {
41
+ process.exit(err.status);
42
+ }
43
+ console.error(err.message);
44
+ process.exit(1);
45
+ }
package/package.json ADDED
@@ -0,0 +1,30 @@
1
+ {
2
+ "name": "@open_harness/secretlens",
3
+ "version": "0.1.0",
4
+ "description": "Secret and credential detector for any language — works with Husky, CI, and any git hook system",
5
+ "keywords": [
6
+ "security",
7
+ "secrets",
8
+ "linter",
9
+ "husky",
10
+ "git-hooks",
11
+ "credentials"
12
+ ],
13
+ "homepage": "https://github.com/artiko00/open-harness",
14
+ "license": "MIT",
15
+ "bin": {
16
+ "secretlens": "bin/secretlens.js"
17
+ },
18
+ "scripts": {
19
+ "test": "node bin/secretlens.js version"
20
+ },
21
+ "optionalDependencies": {
22
+ "@open_harness/secretlens-linux-x64": "0.1.0",
23
+ "@open_harness/secretlens-darwin-arm64": "0.1.0",
24
+ "@open_harness/secretlens-darwin-x64": "0.1.0",
25
+ "@open_harness/secretlens-win32-x64": "0.1.0"
26
+ },
27
+ "engines": {
28
+ "node": ">=16"
29
+ }
30
+ }