@secretlint/secretlint-rule-databricks 0.0.1 → 11.7.1

package/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2026 azu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,45 +1,69 @@
 # @secretlint/secretlint-rule-databricks
 
-## ⚠️ IMPORTANT NOTICE ⚠️
+A rule for detecting [Databricks personal access tokens](https://docs.databricks.com/aws/en/dev-tools/auth/pat) in your code.
 
-**This package is created solely for the purpose of setting up OIDC (OpenID Connect) trusted publishing with npm.**
+## Install
 
-This is **NOT** a functional package and contains **NO** code or functionality beyond the OIDC setup configuration.
+Install with [npm](https://www.npmjs.com/):
 
-## Purpose
+    npm install @secretlint/secretlint-rule-databricks
 
-This package exists to:
-1. Configure OIDC trusted publishing for the package name `@secretlint/secretlint-rule-databricks`
-2. Enable secure, token-less publishing from CI/CD workflows
-3. Establish provenance for packages published under this name
+## Usage
 
-## What is OIDC Trusted Publishing?
+Via `.secretlintrc.json`(Recommended)
 
-OIDC trusted publishing allows package maintainers to publish packages directly from their CI/CD workflows without needing to manage npm access tokens. Instead, it uses OpenID Connect to establish trust between the CI/CD provider (like GitHub Actions) and npm.
+```json
+{
+    "rules": [
+        {
+            "id": "@secretlint/secretlint-rule-databricks"
+        }
+    ]
+}
+```
 
-## Setup Instructions
+## MessageIDs
 
-To properly configure OIDC trusted publishing for this package:
+### DATABRICKS_PERSONAL_ACCESS_TOKEN
 
-1. Go to [npmjs.com](https://www.npmjs.com/) and navigate to your package settings
-2. Configure the trusted publisher (e.g., GitHub Actions)
-3. Specify the repository and workflow that should be allowed to publish
-4. Use the configured workflow to publish your actual package
+Databricks personal access token is detected.
 
-## DO NOT USE THIS PACKAGE
+Databricks personal access tokens start with the literal prefix `dapi`, followed by a 32-character hexadecimal string, with an optional `-<digit>` suffix. The rule matches hex characters case-insensitively.
 
-This package is a placeholder for OIDC configuration only. It:
-- Contains no executable code
-- Provides no functionality
-- Should not be installed as a dependency
-- Exists only for administrative purposes
+**NG** examples:
 
-## More Information
+```
+DATABRICKS_TOKEN=dapi1234567890ABCDEF1234567890ABCDEF
+token: "dapi0123456789ABCDEF0123456789ABCDEF-3"
+```
 
-For more details about npm's trusted publishing feature, see:
-- [npm Trusted Publishing Documentation](https://docs.npmjs.com/generating-provenance-statements)
-- [GitHub Actions OIDC Documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
+## Options
 
----
+- `allows: string[]`
+    - Allows a list of [RegExp-like String](https://github.com/textlint/regexp-string-matcher#regexp-like-string)
 
-**Maintained for OIDC setup purposes only**
+## Changelog
+
+See [Releases page](https://github.com/secretlint/secretlint/releases).
+
+## Running tests
+
+Install devDependencies and Run `npm test`:
+
+    npm test
+
+## Contributing
+
+Pull requests and stars are always welcome.
+
+For bugs and feature requests, [please create an issue](https://github.com/secretlint/secretlint/issues).
+
+1. Fork it!
+2. Create your feature branch: `git checkout -b my-new-feature`
+3. Commit your changes: `git commit -am 'Add some feature'`
+4. Push to the branch: `git push origin my-new-feature`
+5. Submit a pull request :D
+
+## License
+
+MIT © azu

package/module/index.d.ts

@@ -0,0 +1,16 @@
+import type { SecretLintRuleCreator } from "@secretlint/types";
+export declare const messages: {
+    DATABRICKS_PERSONAL_ACCESS_TOKEN: {
+        en: (props: {
+            ID: string;
+        }) => string;
+        ja: (props: {
+            ID: string;
+        }) => string;
+    };
+};
+export type Options = {
+    allows?: string[];
+};
+export declare const creator: SecretLintRuleCreator<Options>;
+//# sourceMappingURL=index.d.ts.map

package/module/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAwB,MAAM,mBAAmB,CAAC;AAGrF,eAAO,MAAM,QAAQ;;oBAED;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE;oBACd;YAAE,EAAE,EAAE,MAAM,CAAA;SAAE;;CAEjC,CAAC;AAEF,MAAM,MAAM,OAAO,GAAG;IAClB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB,CAAC;AAEF,eAAO,MAAM,OAAO,EAAE,qBAAqB,CAAC,OAAO,CA8ClD,CAAC"}

package/module/index.js

@@ -0,0 +1,55 @@
+import { matchPatterns } from "@textlint/regexp-string-matcher";
+export const messages = {
+    DATABRICKS_PERSONAL_ACCESS_TOKEN: {
+        en: (props) => `found Databricks personal access token: ${props.ID}`,
+        ja: (props) => `Databricks personal access token: ${props.ID} がみつかりました`,
+    },
+};
+export const creator = {
+    messages,
+    meta: {
+        id: "@secretlint/secretlint-rule-databricks",
+        recommended: true,
+        type: "scanner",
+        supportedContentTypes: ["text"],
+        docs: {
+            url: "https://github.com/secretlint/secretlint/blob/master/packages/%40secretlint/secretlint-rule-databricks/README.md",
+        },
+    },
+    create(context, options) {
+        const t = context.createTranslator(messages);
+        const normalizedOptions = {
+            allows: options?.allows ?? [],
+        };
+        return {
+            file(source) {
+                // Databricks personal access tokens:
+                // - Prefix: `dapi`
+                // - Body: 32 hexadecimal characters (Databricks issues lowercase,
+                //   but match case-insensitively to be lenient)
+                // - Optional suffix: `-<single digit>`
+                // Reference:
+                // - https://docs.databricks.com/aws/en/dev-tools/auth/pat
+                // - https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns
+                const pattern = /(?<!\p{L})dapi[A-Fa-f0-9]{32}(?:-[0-9])?(?![A-Fa-f0-9])/gu;
+                const matches = source.content.matchAll(pattern);
+                for (const match of matches) {
+                    const index = match.index ?? 0;
+                    const matchString = match[0] ?? "";
+                    const allowedResults = matchPatterns(matchString, normalizedOptions.allows);
+                    if (allowedResults.length > 0) {
+                        continue;
+                    }
+                    const range = [index, index + matchString.length];
+                    context.report({
+                        message: t("DATABRICKS_PERSONAL_ACCESS_TOKEN", {
+                            ID: matchString,
+                        }),
+                        range,
+                    });
+                }
+            },
+        };
+    },
+};
+//# sourceMappingURL=index.js.map

package/module/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,iCAAiC,CAAC;AAEhE,MAAM,CAAC,MAAM,QAAQ,GAAG;IACpB,gCAAgC,EAAE;QAC9B,EAAE,EAAE,CAAC,KAAqB,EAAE,EAAE,CAAC,2CAA2C,KAAK,CAAC,EAAE,EAAE;QACpF,EAAE,EAAE,CAAC,KAAqB,EAAE,EAAE,CAAC,qCAAqC,KAAK,CAAC,EAAE,WAAW;KAC1F;CACJ,CAAC;AAMF,MAAM,CAAC,MAAM,OAAO,GAAmC;IACnD,QAAQ;IACR,IAAI,EAAE;QACF,EAAE,EAAE,wCAAwC;QAC5C,WAAW,EAAE,IAAI;QACjB,IAAI,EAAE,SAAS;QACf,qBAAqB,EAAE,CAAC,MAAM,CAAC;QAC/B,IAAI,EAAE;YACF,GAAG,EAAE,kHAAkH;SAC1H;KACJ;IACD,MAAM,CAAC,OAAO,EAAE,OAAO;QACnB,MAAM,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAC7C,MAAM,iBAAiB,GAAG;YACtB,MAAM,EAAE,OAAO,EAAE,MAAM,IAAI,EAAE;SAChC,CAAC;QACF,OAAO;YACH,IAAI,CAAC,MAA4B;gBAC7B,qCAAqC;gBACrC,mBAAmB;gBACnB,kEAAkE;gBAClE,gDAAgD;gBAChD,uCAAuC;gBACvC,aAAa;gBACb,0DAA0D;gBAC1D,sFAAsF;gBACtF,MAAM,OAAO,GAAG,2DAA2D,CAAC;gBAC5E,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBACjD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;oBAC1B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC;oBAC/B,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBACnC,MAAM,cAAc,GAAG,aAAa,CAAC,WAAW,EAAE,iBAAiB,CAAC,MAAM,CAAC,CAAC;oBAC5E,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC5B,SAAS;oBACb,CAAC;oBACD,MAAM,KAAK,GAAG,CAAC,KAAK,EAAE,KAAK,GAAG,WAAW,CAAC,MAAM,CAAU,CAAC;oBAC3D,OAAO,CAAC,MAAM,CAAC;wBACX,OAAO,EAAE,CAAC,CAAC,kCAAkC,EAAE;4BAC3C,EAAE,EAAE,WAAW;yBAClB,CAAC;wBACF,KAAK;qBACR,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;SACJ,CAAC;IACN,CAAC;CACJ,CAAC"}

package/module/tsconfig.tsbuildinfo

@@ -0,0 +1 @@
+{"root":["../src/index.ts"],"version":"5.9.2"}

package/package.json

@@ -1,10 +1,71 @@
 {
   "name": "@secretlint/secretlint-rule-databricks",
-  "version": "0.0.1",
-  "description": "OIDC trusted publishing setup package for @secretlint/secretlint-rule-databricks",
+  "version": "11.7.1",
+  "description": "A secretlint rule for detecting Databricks personal access tokens",
   "keywords": [
-    "oidc",
-    "trusted-publishing",
-    "setup"
-  ]
-}
+    "secretlint",
+    "rule",
+    "databricks",
+    "token",
+    "security"
+  ],
+  "homepage": "https://github.com/secretlint/secretlint/tree/master/packages/@secretlint/secretlint-rule-databricks/",
+  "bugs": {
+    "url": "https://github.com/secretlint/secretlint/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/secretlint/secretlint.git"
+  },
+  "license": "MIT",
+  "author": "azu",
+  "type": "module",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./module/index.d.ts",
+        "default": "./module/index.js"
+      },
+      "default": "./module/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "main": "./module/index.js",
+  "types": "./module/index.d.ts",
+  "files": [
+    "bin/",
+    "module/",
+    "src/"
+  ],
+  "prettier": {
+    "printWidth": 120,
+    "singleQuote": false,
+    "tabWidth": 4
+  },
+  "dependencies": {
+    "@textlint/regexp-string-matcher": "^2.0.2",
+    "@secretlint/types": "11.7.1"
+  },
+  "devDependencies": {
+    "@types/node": "^24.12.2",
+    "prettier": "^2.8.8",
+    "tsx": "^4.21.0",
+    "typescript": "^5.8.3",
+    "@secretlint/tester": "11.7.1"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "tsc --build --clean",
+    "prettier": "prettier --write \"**/*.{js,jsx,ts,tsx,css}\"",
+    "prepublish": "npm run --if-present build",
+    "test": "node --import tsx --test test/index.test.ts",
+    "updateSnapshot": "UPDATE_SNAPSHOT=1 npm test",
+    "watch": "tsc --build --watch"
+  }
+}

package/src/index.ts

@@ -0,0 +1,61 @@
+import type { SecretLintRuleCreator, SecretLintSourceCode } from "@secretlint/types";
+import { matchPatterns } from "@textlint/regexp-string-matcher";
+
+export const messages = {
+    DATABRICKS_PERSONAL_ACCESS_TOKEN: {
+        en: (props: { ID: string }) => `found Databricks personal access token: ${props.ID}`,
+        ja: (props: { ID: string }) => `Databricks personal access token: ${props.ID} がみつかりました`,
+    },
+};
+
+export type Options = {
+    allows?: string[];
+};
+
+export const creator: SecretLintRuleCreator<Options> = {
+    messages,
+    meta: {
+        id: "@secretlint/secretlint-rule-databricks",
+        recommended: true,
+        type: "scanner",
+        supportedContentTypes: ["text"],
+        docs: {
+            url: "https://github.com/secretlint/secretlint/blob/master/packages/%40secretlint/secretlint-rule-databricks/README.md",
+        },
+    },
+    create(context, options) {
+        const t = context.createTranslator(messages);
+        const normalizedOptions = {
+            allows: options?.allows ?? [],
+        };
+        return {
+            file(source: SecretLintSourceCode) {
+                // Databricks personal access tokens:
+                // - Prefix: `dapi`
+                // - Body: 32 hexadecimal characters (Databricks issues lowercase,
+                //   but match case-insensitively to be lenient)
+                // - Optional suffix: `-<single digit>`
+                // Reference:
+                // - https://docs.databricks.com/aws/en/dev-tools/auth/pat
+                // - https://docs.github.com/en/code-security/secret-scanning/secret-scanning-patterns
+                const pattern = /(?<!\p{L})dapi[A-Fa-f0-9]{32}(?:-[0-9])?(?![A-Fa-f0-9])/gu;
+                const matches = source.content.matchAll(pattern);
+                for (const match of matches) {
+                    const index = match.index ?? 0;
+                    const matchString = match[0] ?? "";
+                    const allowedResults = matchPatterns(matchString, normalizedOptions.allows);
+                    if (allowedResults.length > 0) {
+                        continue;
+                    }
+                    const range = [index, index + matchString.length] as const;
+                    context.report({
+                        message: t("DATABRICKS_PERSONAL_ACCESS_TOKEN", {
+                            ID: matchString,
+                        }),
+                        range,
+                    });
+                }
+            },
+        };
+    },
+};