@preship/secrets 1.0.0

package/dist/index.d.ts

@@ -0,0 +1,79 @@
+import { SecretsConfig, SecretsResult, SecretRule } from '@preship/core';
+
+/**
+ * Scan a project for leaked secrets, API keys, tokens, and credentials.
+ *
+ * The scanner uses a 3-stage pipeline for each file:
+ *   Stage 1: Check if file is in allowPaths -- skip entirely
+ *   Stage 2: Keyword prefilter -- check if any rule keyword exists in file content
+ *   Stage 3: Run matching rules' regex patterns, check entropy, filter false positives
+ *
+ * @param projectPath - Absolute path to the project root
+ * @param config - Partial secrets configuration (merged with defaults)
+ * @returns SecretsResult with findings and statistics
+ */
+declare function scanSecrets(projectPath: string, config?: Partial<SecretsConfig>): Promise<SecretsResult>;
+
+/**
+ * Get all registered secret detection rules.
+ */
+declare function getAllRules(): SecretRule[];
+/**
+ * Get rules whose keywords appear in the given file content.
+ *
+ * This is the keyword prefilter stage: only rules with at least one
+ * matching keyword are returned. Rules with no keywords (like entropy-based
+ * rules) are always included since they cannot be prefiltered.
+ *
+ * @param content - The file content to check keywords against
+ * @returns Rules that have at least one keyword match (or no keywords at all)
+ */
+declare function getRulesForKeywords(content: string): SecretRule[];
+
+/**
+ * Shannon entropy calculator for secret detection.
+ *
+ * Shannon entropy measures the randomness/information density of a string.
+ * High-entropy strings are more likely to be secrets (API keys, tokens, etc.)
+ * because they contain more random characters compared to natural language.
+ *
+ * Formula: H = -sum(p(x) * log2(p(x))) for each unique character x
+ */
+/**
+ * Calculate Shannon entropy of a string.
+ *
+ * @param str - The string to calculate entropy for
+ * @returns Shannon entropy value (bits per character). Range: 0 to log2(uniqueChars).
+ *          Typical thresholds:
+ *          - English text: ~3.5-4.0
+ *          - Base64 encoded: ~5.0-6.0
+ *          - Hex encoded: ~3.5-4.0
+ *          - True random (base64 charset): ~5.9
+ */
+declare function shannonEntropy(str: string): number;
+
+/**
+ * Walk project directory recursively and collect scannable file paths.
+ *
+ * @param projectPath - Absolute path to the project root
+ * @param allowPaths - Relative paths to skip (glob-style, uses startsWith matching)
+ * @param scanPaths - If non-empty, only scan files under these relative paths
+ * @returns Array of file paths relative to projectPath
+ */
+declare function walkProjectFiles(projectPath: string, allowPaths: string[], scanPaths: string[]): string[];
+
+/**
+ * @preship/secrets -- Secrets and credential detection for PreShip
+ *
+ * Scans project files for leaked API keys, tokens, passwords, private keys,
+ * database connection strings, and other credentials. Uses a 3-stage pipeline:
+ *
+ *   1. File walking with .gitignore-style exclusions
+ *   2. Keyword prefiltering for fast file-level skipping
+ *   3. Regex pattern matching with entropy analysis and false-positive filtering
+ *
+ * Zero external dependencies -- uses only Node.js built-in fs, path, and crypto.
+ */
+declare const SECRETS_MODULE_VERSION = "1.0.0";
+
+export { SECRETS_MODULE_VERSION, getAllRules, getRulesForKeywords, scanSecrets, shannonEntropy, walkProjectFiles };

package/dist/index.js

@@ -0,0 +1,777 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  SECRETS_MODULE_VERSION: () => SECRETS_MODULE_VERSION,
+  getAllRules: () => getAllRules,
+  getRulesForKeywords: () => getRulesForKeywords,
+  scanSecrets: () => scanSecrets,
+  shannonEntropy: () => shannonEntropy,
+  walkProjectFiles: () => walkProjectFiles
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/scanner.ts
+var fs2 = __toESM(require("fs"));
+var path2 = __toESM(require("path"));
+
+// src/entropy.ts
+function shannonEntropy(str) {
+  if (str.length === 0) {
+    return 0;
+  }
+  const freq = /* @__PURE__ */ new Map();
+  for (const char of str) {
+    freq.set(char, (freq.get(char) ?? 0) + 1);
+  }
+  const len = str.length;
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const p = count / len;
+    if (p > 0) {
+      entropy -= p * Math.log2(p);
+    }
+  }
+  return entropy;
+}
+
+// src/rules/aws.ts
+var awsRules = [
+  {
+    id: "aws-access-key",
+    description: "AWS Access Key ID",
+    severity: "critical",
+    keywords: ["AKIA"],
+    pattern: /AKIA[0-9A-Z]{16}/,
+    allowPatterns: [
+      /AKIAIOSFODNN7EXAMPLE/,
+      // AWS documentation example key
+      /AKIAI44QH8DHBEXAMPLE/
+      // Another AWS doc example
+    ]
+  },
+  {
+    id: "aws-secret-key",
+    description: "AWS Secret Access Key",
+    severity: "critical",
+    keywords: ["aws"],
+    // 40-character base64 string near aws_secret_access_key or similar keywords
+    pattern: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY|aws_secret_key)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/,
+    allowPatterns: [
+      /wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY/
+      // AWS documentation example
+    ]
+  },
+  {
+    id: "aws-session-token",
+    description: "AWS Session Token",
+    severity: "high",
+    keywords: ["aws_session_token"],
+    // Long base64 string near aws_session_token keyword
+    pattern: /(?:aws_session_token|AWS_SESSION_TOKEN)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{100,})['"]?/
+  },
+  {
+    id: "aws-mws-key",
+    description: "Amazon Marketplace Web Service (MWS) Auth Token",
+    severity: "critical",
+    keywords: ["amzn.mws"],
+    pattern: /amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/
+  }
+];
+
+// src/rules/gcp.ts
+var gcpRules = [
+  {
+    id: "gcp-api-key",
+    description: "Google Cloud API Key",
+    severity: "critical",
+    keywords: ["AIza"],
+    pattern: /AIza[0-9A-Za-z_-]{35}/,
+    allowPatterns: [
+      /AIzaSyA1234567890EXAMPLE_KEY_HERE/
+      // Placeholder
+    ]
+  },
+  {
+    id: "gcp-service-account",
+    description: "Google Cloud Service Account JSON",
+    severity: "critical",
+    keywords: ["service_account"],
+    // Detects the "type": "service_account" pattern in JSON files
+    pattern: /"type"\s*:\s*"service_account"/
+  },
+  {
+    id: "gcp-oauth-secret",
+    description: "Google OAuth Client Secret",
+    severity: "high",
+    keywords: ["client_secret"],
+    // client_secret near googleapis or google context
+    pattern: /(?:client_secret|CLIENT_SECRET)\s*[=:"]\s*['"]?([A-Za-z0-9_-]{24,})['"]?/
+  }
+];
+
+// src/rules/github.ts
+var githubRules = [
+  {
+    id: "github-pat",
+    description: "GitHub Personal Access Token",
+    severity: "high",
+    keywords: ["ghp_"],
+    pattern: /ghp_[0-9a-zA-Z]{36}/
+  },
+  {
+    id: "github-oauth",
+    description: "GitHub OAuth Access Token",
+    severity: "high",
+    keywords: ["gho_"],
+    pattern: /gho_[0-9a-zA-Z]{36}/
+  },
+  {
+    id: "github-app-token",
+    description: "GitHub App Token (User-to-Server or Server-to-Server)",
+    severity: "high",
+    keywords: ["ghu_", "ghs_"],
+    pattern: /(?:ghu|ghs)_[0-9a-zA-Z]{36}/
+  },
+  {
+    id: "github-fine-grained",
+    description: "GitHub Fine-Grained Personal Access Token",
+    severity: "high",
+    keywords: ["github_pat_"],
+    pattern: /github_pat_[0-9a-zA-Z]{22}_[0-9a-zA-Z]{59}/
+  }
+];
+
+// src/rules/tokens.ts
+var tokenRules = [
+  {
+    id: "stripe-secret-key",
+    description: "Stripe Secret API Key",
+    severity: "critical",
+    keywords: ["sk_live_"],
+    pattern: /sk_live_[0-9a-zA-Z]{24,}/
+  },
+  {
+    id: "stripe-restricted-key",
+    description: "Stripe Restricted API Key",
+    severity: "high",
+    keywords: ["rk_live_"],
+    pattern: /rk_live_[0-9a-zA-Z]{24,}/
+  },
+  {
+    id: "slack-bot-token",
+    description: "Slack Bot Token",
+    severity: "high",
+    keywords: ["xoxb-"],
+    pattern: /xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24}/
+  },
+  {
+    id: "slack-webhook",
+    description: "Slack Incoming Webhook URL",
+    severity: "high",
+    keywords: ["hooks.slack.com"],
+    pattern: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[a-zA-Z0-9]+/
+  },
+  {
+    id: "twilio-api-key",
+    description: "Twilio API Key",
+    severity: "high",
+    keywords: ["twilio", "SK"],
+    pattern: /SK[0-9a-fA-F]{32}/
+  },
+  {
+    id: "sendgrid-api-key",
+    description: "SendGrid API Key",
+    severity: "high",
+    keywords: ["SG."],
+    pattern: /SG\.[0-9A-Za-z_-]{22}\.[0-9A-Za-z_-]{43}/
+  },
+  {
+    id: "npm-token",
+    description: "npm Access Token",
+    severity: "high",
+    keywords: ["npm_"],
+    pattern: /npm_[0-9a-zA-Z]{36}/
+  },
+  {
+    id: "mailchimp-api-key",
+    description: "Mailchimp API Key",
+    severity: "medium",
+    keywords: ["mailchimp", "-us"],
+    pattern: /[0-9a-f]{32}-us[0-9]{1,2}/
+  }
+];
+
+// src/rules/private-keys.ts
+var privateKeyRules = [
+  {
+    id: "rsa-private-key",
+    description: "RSA Private Key",
+    severity: "critical",
+    keywords: ["BEGIN RSA PRIVATE KEY"],
+    pattern: /-----BEGIN RSA PRIVATE KEY-----/
+  },
+  {
+    id: "dsa-private-key",
+    description: "DSA Private Key",
+    severity: "critical",
+    keywords: ["BEGIN DSA PRIVATE KEY"],
+    pattern: /-----BEGIN DSA PRIVATE KEY-----/
+  },
+  {
+    id: "ec-private-key",
+    description: "EC Private Key",
+    severity: "critical",
+    keywords: ["BEGIN EC PRIVATE KEY"],
+    pattern: /-----BEGIN EC PRIVATE KEY-----/
+  },
+  {
+    id: "pgp-private-key",
+    description: "PGP Private Key Block",
+    severity: "critical",
+    keywords: ["BEGIN PGP PRIVATE KEY BLOCK"],
+    pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/
+  },
+  {
+    id: "ssh-private-key",
+    description: "OpenSSH Private Key",
+    severity: "critical",
+    keywords: ["BEGIN OPENSSH PRIVATE KEY"],
+    pattern: /-----BEGIN OPENSSH PRIVATE KEY-----/
+  },
+  {
+    id: "pkcs8-private-key",
+    description: "PKCS#8 Private Key",
+    severity: "critical",
+    keywords: ["BEGIN PRIVATE KEY"],
+    pattern: /-----BEGIN PRIVATE KEY-----/
+  }
+];
+
+// src/rules/database.ts
+var databaseRules = [
+  {
+    id: "postgres-uri",
+    description: "PostgreSQL Connection URI with Password",
+    severity: "critical",
+    keywords: ["postgres"],
+    // postgres:// or postgresql:// with user:password@host
+    pattern: /postgres(?:ql)?:\/\/[^\s:]+:[^\s@]+@[^\s]+/,
+    allowPatterns: [
+      /postgres(?:ql)?:\/\/user(?:name)?:password@/,
+      // Common placeholder
+      /postgres(?:ql)?:\/\/postgres:postgres@localhost/
+      // Local dev default
+    ]
+  },
+  {
+    id: "mysql-uri",
+    description: "MySQL Connection URI with Password",
+    severity: "critical",
+    keywords: ["mysql"],
+    // mysql:// with user:password@host
+    pattern: /mysql:\/\/[^\s:]+:[^\s@]+@[^\s]+/,
+    allowPatterns: [
+      /mysql:\/\/user(?:name)?:password@/,
+      // Common placeholder
+      /mysql:\/\/root:root@localhost/,
+      // Local dev default
+      /mysql:\/\/root:password@localhost/
+      // Local dev default
+    ]
+  },
+  {
+    id: "mongodb-uri",
+    description: "MongoDB Connection URI with Password",
+    severity: "critical",
+    keywords: ["mongodb"],
+    // mongodb:// or mongodb+srv:// with user:password@host
+    pattern: /mongodb(?:\+srv)?:\/\/[^\s:]+:[^\s@]+@[^\s]+/,
+    allowPatterns: [
+      /mongodb(?:\+srv)?:\/\/user(?:name)?:password@/,
+      // Common placeholder
+      /mongodb(?:\+srv)?:\/\/root:example@/
+      // Docker docs example
+    ]
+  },
+  {
+    id: "redis-uri",
+    description: "Redis Connection URI with Password",
+    severity: "high",
+    keywords: ["redis"],
+    // redis:// or rediss:// with user:password@host
+    pattern: /rediss?:\/\/[^\s:]*:[^\s@]+@[^\s]+/,
+    allowPatterns: [
+      /rediss?:\/\/:password@localhost/
+      // Common placeholder
+    ]
+  },
+  {
+    id: "database-password",
+    description: "Database Password Assignment",
+    severity: "high",
+    keywords: ["db_password", "database_password", "DB_PASS"],
+    // Various database password environment variable patterns
+    pattern: /(?:db_password|database_password|DB_PASS(?:WORD)?|DB_PWD)\s*[=:]\s*['"][^'"]{8,}['"]/i,
+    allowPatterns: [
+      /['"](?:password|changeme|your[_-]?password|replace[_-]?me|TODO|xxx+)['"]/i
+    ]
+  }
+];
+
+// src/rules/generic.ts
+var GENERIC_ALLOW_PATTERNS = [
+  /['"](?:your[_-]?api[_-]?key(?:[_-]?here)?|INSERT[_-]?(?:TOKEN|KEY|SECRET)[_-]?HERE|xxx+|TODO|CHANGEME|REPLACE[_-]?ME|example|test|dummy|fake|placeholder|sample)['"]/i,
+  /['"](?:sk[_-]?test|pk[_-]?test|sk[_-]?example|pk[_-]?example)['"]/i,
+  /['"](?:\$\{|<[^>]+>|\{\{)/
+  // Template variable references: ${VAR}, <TOKEN>, {{VAR}}
+];
+var genericRules = [
+  {
+    id: "generic-api-key",
+    description: "Generic API Key Assignment",
+    severity: "medium",
+    keywords: ["api_key", "api-key", "apikey", "API_KEY", "APIKEY"],
+    pattern: /(?:api[_-]?key|apikey|API[_-]?KEY|APIKEY)\s*[=:]\s*['"][0-9a-zA-Z]{20,}['"]/i,
+    allowPatterns: GENERIC_ALLOW_PATTERNS
+  },
+  {
+    id: "generic-secret",
+    description: "Generic Secret Assignment",
+    severity: "medium",
+    keywords: ["secret", "SECRET"],
+    pattern: /(?:secret|SECRET|client_secret|CLIENT_SECRET|app_secret|APP_SECRET)\s*[=:]\s*['"][0-9a-zA-Z]{20,}['"]/i,
+    allowPatterns: GENERIC_ALLOW_PATTERNS
+  },
+  {
+    id: "generic-password",
+    description: "Generic Password Assignment",
+    severity: "medium",
+    keywords: ["password", "passwd", "pwd", "PASSWORD", "PASSWD", "PWD"],
+    pattern: /(?:password|passwd|pwd|PASSWORD|PASSWD|PWD)\s*[=:]\s*['"][^'"]{8,}['"]/,
+    allowPatterns: [
+      ...GENERIC_ALLOW_PATTERNS,
+      /['"](?:password|changeme|admin|root|test(?:ing)?|development|12345678)['"]/i
+    ]
+  },
+  {
+    id: "generic-token",
+    description: "Generic Token Assignment",
+    severity: "medium",
+    keywords: ["token", "TOKEN", "access_token", "ACCESS_TOKEN"],
+    pattern: /(?:token|TOKEN|access_token|ACCESS_TOKEN|auth_token|AUTH_TOKEN)\s*[=:]\s*['"][0-9a-zA-Z]{20,}['"]/i,
+    allowPatterns: GENERIC_ALLOW_PATTERNS
+  },
+  {
+    id: "jwt-token",
+    description: "JSON Web Token (JWT)",
+    severity: "medium",
+    keywords: ["eyJ"],
+    // JWT structure: base64url.base64url.signature
+    pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]+/
+  },
+  {
+    id: "env-file",
+    description: "Environment Configuration File with Secrets",
+    severity: "high",
+    keywords: ["_KEY=", "_SECRET=", "_TOKEN=", "_PASSWORD="],
+    // Detects KEY=value, SECRET=value patterns in .env-style files
+    // This rule is special: the scanner should also check if the filename is .env*
+    pattern: /(?:_KEY|_SECRET|_TOKEN|_PASSWORD|_API_KEY)\s*=\s*[^\s#]{8,}/,
+    allowPatterns: [
+      /=\s*(?:your[_-]?|INSERT|TODO|CHANGEME|REPLACE|<|"\$\{|\$\(|%)/i
+    ]
+  },
+  {
+    id: "high-entropy-base64",
+    description: "High-Entropy Base64 String (possible secret)",
+    severity: "low",
+    keywords: [],
+    // No keyword prefilter; this rule is opt-in via entropy threshold
+    pattern: /[A-Za-z0-9+/]{40,}={0,2}/,
+    entropyThreshold: 4.5,
+    allowPatterns: [
+      /^[A-Z]+$/,
+      // All uppercase (likely a constant name)
+      /^[a-z]+$/,
+      // All lowercase (likely a word)
+      /[A-Za-z]{40,}/
+      // Long alphabetic-only strings are typically not secrets
+    ]
+  },
+  {
+    id: "high-entropy-hex",
+    description: "High-Entropy Hex String (possible secret)",
+    severity: "low",
+    keywords: [],
+    // No keyword prefilter; this rule is opt-in via entropy threshold
+    pattern: /[0-9a-fA-F]{40,}/,
+    entropyThreshold: 3,
+    allowPatterns: [
+      /^0{10,}$/,
+      // All zeros (placeholder/null hash)
+      /^[fF]{10,}$/
+      // All f's (mask value)
+    ]
+  }
+];
+
+// src/rules/index.ts
+var ALL_RULES = [
+  ...awsRules,
+  ...gcpRules,
+  ...githubRules,
+  ...tokenRules,
+  ...privateKeyRules,
+  ...databaseRules,
+  ...genericRules
+];
+function getAllRules() {
+  return ALL_RULES;
+}
+function getRulesForKeywords(content) {
+  return ALL_RULES.filter((rule) => {
+    if (rule.keywords.length === 0) {
+      return true;
+    }
+    return rule.keywords.some((keyword) => content.includes(keyword));
+  });
+}
+
+// src/walker.ts
+var fs = __toESM(require("fs"));
+var path = __toESM(require("path"));
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  "coverage",
+  "__pycache__",
+  ".next",
+  ".nuxt",
+  ".cache",
+  ".turbo",
+  ".output"
+]);
+var SKIP_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".ico",
+  ".svg",
+  ".webp",
+  ".bmp",
+  ".tiff",
+  ".woff",
+  ".woff2",
+  ".ttf",
+  ".eot",
+  ".otf",
+  ".pdf",
+  ".zip",
+  ".tar",
+  ".gz",
+  ".bz2",
+  ".xz",
+  ".7z",
+  ".rar",
+  ".jar",
+  ".war",
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".o",
+  ".obj",
+  ".class",
+  ".pyc",
+  ".pyo",
+  ".wasm",
+  ".mp3",
+  ".mp4",
+  ".avi",
+  ".mov",
+  ".mkv",
+  ".flac",
+  ".wav"
+]);
+var ALLOWED_LOCKFILES = /* @__PURE__ */ new Set([
+  "package-lock.json",
+  "yarn.lock",
+  "pnpm-lock.yaml"
+]);
+var MAX_FILE_SIZE = 1048576;
+function walkProjectFiles(projectPath, allowPaths, scanPaths) {
+  const files = [];
+  const normalizedScanPaths = scanPaths.map((p) => p.replace(/\/+$/, ""));
+  const normalizedAllowPaths = allowPaths.map((p) => p.replace(/\/+$/, ""));
+  walkDirectory(projectPath, "", files, normalizedAllowPaths, normalizedScanPaths);
+  return files;
+}
+function walkDirectory(rootPath, relativePath, files, allowPaths, scanPaths) {
+  const absolutePath = relativePath ? path.join(rootPath, relativePath) : rootPath;
+  let entries;
+  try {
+    entries = fs.readdirSync(absolutePath, { withFileTypes: true });
+  } catch {
+    return;
+  }
+  for (const entry of entries) {
+    const entryRelative = relativePath ? path.join(relativePath, entry.name) : entry.name;
+    if (entry.isDirectory()) {
+      if (SKIP_DIRS.has(entry.name)) {
+        continue;
+      }
+      if (isAllowedPath(entryRelative, allowPaths)) {
+        continue;
+      }
+      if (scanPaths.length > 0 && !isUnderOrContainsScanPath(entryRelative, scanPaths)) {
+        continue;
+      }
+      walkDirectory(rootPath, entryRelative, files, allowPaths, scanPaths);
+    } else if (entry.isFile()) {
+      if (isAllowedPath(entryRelative, allowPaths)) {
+        continue;
+      }
+      if (scanPaths.length > 0 && !isUnderScanPath(entryRelative, scanPaths)) {
+        continue;
+      }
+      const ext = path.extname(entry.name).toLowerCase();
+      if (SKIP_EXTENSIONS.has(ext)) {
+        continue;
+      }
+      if (ext === ".lock" && !ALLOWED_LOCKFILES.has(entry.name)) {
+        continue;
+      }
+      try {
+        const stats = fs.statSync(path.join(rootPath, entryRelative));
+        if (stats.size > MAX_FILE_SIZE) {
+          continue;
+        }
+      } catch {
+        continue;
+      }
+      files.push(entryRelative);
+    }
+  }
+}
+function isAllowedPath(relativePath, allowPaths) {
+  return allowPaths.some(
+    (allowed) => relativePath === allowed || relativePath.startsWith(allowed + path.sep) || relativePath.startsWith(allowed + "/")
+  );
+}
+function isUnderScanPath(relativePath, scanPaths) {
+  return scanPaths.some((scanPath) => {
+    if (scanPath === "" || scanPath === ".") return true;
+    return relativePath === scanPath || relativePath.startsWith(scanPath + path.sep) || relativePath.startsWith(scanPath + "/");
+  });
+}
+function isUnderOrContainsScanPath(dirPath, scanPaths) {
+  return scanPaths.some((scanPath) => {
+    if (scanPath === "" || scanPath === ".") return true;
+    if (scanPath.startsWith(dirPath + path.sep) || scanPath.startsWith(dirPath + "/")) {
+      return true;
+    }
+    if (dirPath === scanPath || dirPath.startsWith(scanPath + path.sep) || dirPath.startsWith(scanPath + "/")) {
+      return true;
+    }
+    return false;
+  });
+}
+
+// src/scanner.ts
+var DEFAULT_SECRETS_CONFIG = {
+  scanPaths: [],
+  allowPaths: [],
+  allowRules: []
+};
+async function scanSecrets(projectPath, config = {}) {
+  const startTime = Date.now();
+  const mergedConfig = {
+    ...DEFAULT_SECRETS_CONFIG,
+    ...config
+  };
+  const allRules = getAllRules().filter(
+    (rule) => !mergedConfig.allowRules.includes(rule.id)
+  );
+  const files = walkProjectFiles(
+    projectPath,
+    mergedConfig.allowPaths,
+    mergedConfig.scanPaths
+  );
+  const findings = [];
+  let filesScanned = 0;
+  for (const relativePath of files) {
+    const absolutePath = path2.join(projectPath, relativePath);
+    let content;
+    try {
+      content = fs2.readFileSync(absolutePath, "utf-8");
+    } catch {
+      continue;
+    }
+    filesScanned++;
+    const isEnvFile = isEnvironmentFile(relativePath);
+    const candidateRules = getRulesForKeywords(content).filter(
+      (rule) => !mergedConfig.allowRules.includes(rule.id)
+    );
+    if (candidateRules.length === 0 && !isEnvFile) {
+      continue;
+    }
+    const lines = content.split("\n");
+    for (let lineIndex = 0; lineIndex < lines.length; lineIndex++) {
+      const line = lines[lineIndex];
+      for (const rule of candidateRules) {
+        scanLineForRule(rule, line, lineIndex, relativePath, findings);
+      }
+    }
+    if (isEnvFile && hasEnvSecretContent(content)) {
+      const envRule = allRules.find((r) => r.id === "env-file");
+      if (envRule && !mergedConfig.allowRules.includes("env-file")) {
+        const hasEnvFindings = findings.some(
+          (f) => f.ruleId === "env-file" && f.file === relativePath
+        );
+        if (!hasEnvFindings) {
+          findings.push({
+            ruleId: "env-file",
+            description: "Environment file with potential secrets detected",
+            severity: "high",
+            file: relativePath,
+            line: 1,
+            column: 1,
+            match: path2.basename(relativePath)
+          });
+        }
+      }
+    }
+  }
+  const stats = {
+    critical: findings.filter((f) => f.severity === "critical").length,
+    high: findings.filter((f) => f.severity === "high").length,
+    medium: findings.filter((f) => f.severity === "medium").length,
+    low: findings.filter((f) => f.severity === "low").length
+  };
+  const passed = stats.critical === 0 && stats.high === 0;
+  return {
+    enabled: true,
+    passed,
+    filesScanned,
+    findings,
+    stats,
+    scanDurationMs: Date.now() - startTime
+  };
+}
+function scanLineForRule(rule, line, lineIndex, relativePath, findings) {
+  const regex = new RegExp(rule.pattern.source, rule.pattern.flags.replace("g", ""));
+  const match = regex.exec(line);
+  if (!match) {
+    return;
+  }
+  const matchedString = match[0];
+  const secretValue = match[1] ?? matchedString;
+  if (rule.allowPatterns && rule.allowPatterns.length > 0) {
+    const isAllowed = rule.allowPatterns.some(
+      (allowPattern) => allowPattern.test(matchedString)
+    );
+    if (isAllowed) {
+      return;
+    }
+  }
+  let entropy;
+  if (rule.entropyThreshold !== void 0) {
+    entropy = shannonEntropy(secretValue);
+    if (entropy < rule.entropyThreshold) {
+      return;
+    }
+  }
+  findings.push({
+    ruleId: rule.id,
+    description: rule.description,
+    severity: rule.severity,
+    file: relativePath,
+    line: lineIndex + 1,
+    // 1-indexed
+    column: match.index + 1,
+    // 1-indexed
+    match: redactSecret(matchedString, rule),
+    entropy
+  });
+}
+function redactSecret(value, rule) {
+  if (rule.id.endsWith("-private-key")) {
+    return value;
+  }
+  if (rule.id === "gcp-service-account") {
+    return '"type": "service_account"';
+  }
+  if (value.length < 12) {
+    return value.substring(0, 2) + "****";
+  }
+  return value.substring(0, 4) + "****" + value.substring(value.length - 4);
+}
+function isEnvironmentFile(relativePath) {
+  const basename2 = path2.basename(relativePath);
+  return basename2 === ".env" || basename2.startsWith(".env.") || basename2 === ".env.local" || basename2 === ".env.development" || basename2 === ".env.production" || basename2 === ".env.staging" || basename2 === ".env.test";
+}
+function hasEnvSecretContent(content) {
+  const lines = content.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#")) {
+      continue;
+    }
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex > 0) {
+      const value = trimmed.substring(eqIndex + 1).trim().replace(/^['"]|['"]$/g, "");
+      if (value === "" || value.startsWith("${") || value.startsWith("<") || value.startsWith("{{") || /^(your[_-]|INSERT|TODO|CHANGEME|REPLACE|xxx)/i.test(value)) {
+        continue;
+      }
+      if (value.length >= 8) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+// src/index.ts
+var SECRETS_MODULE_VERSION = "1.0.0";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  SECRETS_MODULE_VERSION,
+  getAllRules,
+  getRulesForKeywords,
+  scanSecrets,
+  shannonEntropy,
+  walkProjectFiles
+});

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "@preship/secrets",
+  "version": "1.0.0",
+  "description": "Secrets detection for PreShip — find leaked API keys, tokens, and credentials before shipping",
+  "author": "Cyfox Inc.",
+  "license": "Apache-2.0",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "require": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs --dts --clean",
+    "lint": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@preship/core": "2.0.0"
+  }
+}