@preship/secrets 1.0.0 → 1.0.2

package/dist/index.js

@@ -417,14 +417,17 @@ var genericRules = [
     keywords: [],
     // No keyword prefilter; this rule is opt-in via entropy threshold
     pattern: /[A-Za-z0-9+/]{40,}={0,2}/,
-    entropyThreshold: 4.5,
+    entropyThreshold: 5.5,
+    // Raised from 4.5 — base64 is naturally ~5.0-5.5 entropy, so only truly random strings pass
     allowPatterns: [
       /^[A-Z]+$/,
       // All uppercase (likely a constant name)
       /^[a-z]+$/,
       // All lowercase (likely a word)
-      /[A-Za-z]{40,}/
+      /[A-Za-z]{40,}/,
       // Long alphabetic-only strings are typically not secrets
+      /={2}$/
+      // Strings ending with == are typically short padded data (hashes, encoded values), not secrets
     ]
   },
   {
@@ -434,12 +437,17 @@ var genericRules = [
     keywords: [],
     // No keyword prefilter; this rule is opt-in via entropy threshold
     pattern: /[0-9a-fA-F]{40,}/,
-    entropyThreshold: 3,
+    entropyThreshold: 3.5,
+    // Raised from 3.0 — git commit hashes and content hashes typically hit 3.0-3.5
     allowPatterns: [
       /^0{10,}$/,
       // All zeros (placeholder/null hash)
-      /^[fF]{10,}$/
+      /^[fF]{10,}$/,
       // All f's (mask value)
+      /^[0-9a-f]{40}$/,
+      // Exactly 40 hex chars = git SHA1 commit hash (not a secret)
+      /^[0-9a-f]{64}$/
+      // Exactly 64 hex chars = SHA256 hash (integrity check, not a secret)
     ]
   }
 ];
@@ -483,6 +491,7 @@ var SKIP_DIRS = /* @__PURE__ */ new Set([
   ".output"
 ]);
 var SKIP_EXTENSIONS = /* @__PURE__ */ new Set([
+  // Images
   ".png",
   ".jpg",
   ".jpeg",
@@ -492,11 +501,13 @@ var SKIP_EXTENSIONS = /* @__PURE__ */ new Set([
   ".webp",
   ".bmp",
   ".tiff",
+  // Fonts
   ".woff",
   ".woff2",
   ".ttf",
   ".eot",
   ".otf",
+  // Documents & archives
   ".pdf",
   ".zip",
   ".tar",
@@ -507,6 +518,7 @@ var SKIP_EXTENSIONS = /* @__PURE__ */ new Set([
   ".rar",
   ".jar",
   ".war",
+  // Binaries
   ".exe",
   ".dll",
   ".so",
@@ -518,18 +530,33 @@ var SKIP_EXTENSIONS = /* @__PURE__ */ new Set([
   ".pyc",
   ".pyo",
   ".wasm",
+  // Media
   ".mp3",
   ".mp4",
   ".avi",
   ".mov",
   ".mkv",
   ".flac",
-  ".wav"
+  ".wav",
+  // Source maps (contain base64 noise, not real secrets)
+  ".map",
+  // Data files
+  ".sqlite",
+  ".db"
 ]);
-var ALLOWED_LOCKFILES = /* @__PURE__ */ new Set([
+var SKIP_FILENAMES = /* @__PURE__ */ new Set([
   "package-lock.json",
   "yarn.lock",
-  "pnpm-lock.yaml"
+  "pnpm-lock.yaml",
+  "npm-shrinkwrap.json",
+  "composer.lock",
+  "Gemfile.lock",
+  "Cargo.lock",
+  "poetry.lock",
+  "Pipfile.lock",
+  // PreShip internal files (encrypted cache + key)
+  ".preship-cache.json",
+  ".preship-key"
 ]);
 var MAX_FILE_SIZE = 1048576;
 function walkProjectFiles(projectPath, allowPaths, scanPaths) {
@@ -571,7 +598,13 @@ function walkDirectory(rootPath, relativePath, files, allowPaths, scanPaths) {
       if (SKIP_EXTENSIONS.has(ext)) {
         continue;
       }
-      if (ext === ".lock" && !ALLOWED_LOCKFILES.has(entry.name)) {
+      if (SKIP_FILENAMES.has(entry.name)) {
+        continue;
+      }
+      if (ext === ".lock") {
+        continue;
+      }
+      if (entry.name.endsWith(".min.js") || entry.name.endsWith(".min.css")) {
         continue;
       }
       try {
@@ -642,9 +675,15 @@ async function scanSecrets(projectPath, config = {}) {
     }
     filesScanned++;
     const isEnvFile = isEnvironmentFile(relativePath);
-    const candidateRules = getRulesForKeywords(content).filter(
+    const skipEntropyRules = isEntropyNoisyFile(relativePath);
+    let candidateRules = getRulesForKeywords(content).filter(
       (rule) => !mergedConfig.allowRules.includes(rule.id)
     );
+    if (skipEntropyRules) {
+      candidateRules = candidateRules.filter(
+        (rule) => rule.id !== "high-entropy-base64" && rule.id !== "high-entropy-hex"
+      );
+    }
     if (candidateRules.length === 0 && !isEnvFile) {
       continue;
     }
@@ -741,7 +780,28 @@ function redactSecret(value, rule) {
 }
 function isEnvironmentFile(relativePath) {
   const basename2 = path2.basename(relativePath);
-  return basename2 === ".env" || basename2.startsWith(".env.") || basename2 === ".env.local" || basename2 === ".env.development" || basename2 === ".env.production" || basename2 === ".env.staging" || basename2 === ".env.test";
+  if (isEnvTemplateFile(basename2)) {
+    return false;
+  }
+  return basename2 === ".env" || basename2.startsWith(".env.");
+}
+function isEnvTemplateFile(basename2) {
+  const lower = basename2.toLowerCase();
+  return lower === ".env.example" || lower === ".env.sample" || lower === ".env.template" || lower === ".env.defaults" || lower === ".env.dist" || lower.endsWith(".example") || lower.endsWith(".sample") || lower.endsWith(".template");
+}
+function isEntropyNoisyFile(relativePath) {
+  const ext = path2.extname(relativePath).toLowerCase();
+  const basename2 = path2.basename(relativePath).toLowerCase();
+  if (ext === ".css") return true;
+  if (basename2.endsWith(".bundle.js") || basename2.endsWith(".chunk.js")) return true;
+  if (basename2.includes("manifest") && (ext === ".json" || ext === ".js")) return true;
+  if (basename2.includes("webpack") && ext === ".js") return true;
+  if (basename2 === "build-manifest.json") return true;
+  if (ext === ".svg") return true;
+  if (ext === ".json" && basename2 !== ".env.json") {
+    return false;
+  }
+  return false;
 }
 function hasEnvSecretContent(content) {
   const lines = content.split("\n");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@preship/secrets",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Secrets detection for PreShip — find leaked API keys, tokens, and credentials before shipping",
   "author": "Cyfox Inc.",
   "license": "Apache-2.0",
@@ -21,6 +21,6 @@
     "lint": "tsc --noEmit"
   },
   "dependencies": {
-    "@preship/core": "2.0.0"
+    "@preship/core": "2.0.1"
   }
 }