api-key-guard 1.0.3 → 1.1.0

package/README.md

@@ -1,84 +1,486 @@
-# 🔐 api-key-guard
+# 🔐 API Key Guard
 
 [![npm version](https://badge.fury.io/js/api-key-guard.svg)](https://www.npmjs.com/package/api-key-guard)
 [![npm downloads](https://img.shields.io/npm/dm/api-key-guard.svg)](https://www.npmjs.com/package/api-key-guard)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
-## Project Title & Description
+A comprehensive CLI tool for detecting, preventing, and managing API key leaks in your codebase with AI-powered documentation generation.
 
-**api-key-guard** is a comprehensive Node.js CLI tool designed to help developers and teams detect, prevent, and manage API key leaks within their codebases. It provides powerful scanning capabilities, integrates seamlessly with Git hooks, and even offers AI-powered assistance for project documentation, ensuring your secrets stay secret.
+## ⚡ Quick Start
 
-## ⚠️ Problem Statement: The Silent Threat of API Key Leaks
+```bash
+# Install globally
+npm install -g api-key-guard
 
-Accidentally committing API keys, private tokens, or sensitive credentials to a public or even private repository is a widespread and critical security vulnerability. A single leaked key can lead to:
+# Scan for API key leaks
+api-key-guard scan
 
-*   **Data Breaches:** Unauthorized access to sensitive user data.
-*   **Financial Loss:** Misuse of cloud resources, payment gateways, or premium services.
-*   **Reputational Damage:** Erosion of trust from customers and partners.
-*   **Service Interruptions:** Malicious actors disabling or disrupting your services.
+# Setup git hooks for automatic scanning
+api-key-guard setup-hooks
 
-Traditional methods often rely on manual reviews or simplistic grep commands, which are prone to error and can't keep pace with rapid development cycles. **api-key-guard** provides an automated, intelligent solution to proactively safeguard your repositories against this silent, yet devastating, threat.
+# Generate AI-powered README (requires GEMINI_API_KEY)
+export GEMINI_API_KEY=your_api_key_here
+api-key-guard readme
+```
 
-## ✨ Features List
+## 🚨 The Problem
 
-**api-key-guard** comes packed with features to make API key management robust and effortless:
+API key leaks in code repositories are a critical security vulnerability that can lead to:
 
-*   🔍 **Advanced API Key Detection:**
-    *   Utilizes a combination of regex patterns and entropy analysis to identify a wide range of common API keys (AWS, Google Cloud, Stripe, GitHub, etc.) and high-entropy strings that might be custom secrets.
-    *   Scans various file types including JavaScript, TypeScript, Python, Ruby, JSON, YAML, Markdown, and more.
-*   🎣 **Seamless Git Hooks Integration:**
-    *   Set up pre-commit hooks to automatically scan staged files before every commit, preventing secrets from ever reaching your repository.
-    *   Provides clear feedback and blocks commits if a leak is detected.
-*   🚀 **Powerful CLI Commands:**
-    *   `scan`: On-demand scanning of entire directories or specific files.
-    *   `setup-hooks`: Automates the installation of Git pre-commit hooks.
-    *   `readme`: Leverages AI to generate comprehensive `README.md` files based on your project's structure and existing documentation.
-*   🤖 **AI-Powered README Generation:**
-    *   A unique feature that helps you quickly generate professional and informative `README.md` files, improving project documentation and onboarding.
-*   📁 **Multiple File Format Support:**
-    *   Intelligently parses and scans a broad spectrum of text-based file formats, ensuring no stone is left unturned.
-*   ⚙️ **Configurable Ignore Patterns:**
-    *   Define custom ignore rules in configuration files or via CLI flags to exclude specific files, directories (e.g., `node_modules`, `dist`), or even patterns of "false positive" keys, reducing noise.
-*   🌈 **Colorful and Clear Output:**
-    *   Leverages `chalk` to provide easy-to-read, color-coded output in the terminal, highlighting detected keys and scan results.
+- **Data breaches** and unauthorized access
+- **Financial losses** from misused cloud resources  
+- **Service disruptions** and security incidents
+- **Reputational damage** from exposed credentials
 
-## 🛠️ Installation
+## ✨ Features
+
+- 🔍 **Smart Detection**: Advanced regex patterns detect AWS keys, GitHub tokens, Google API keys, and more
+- � **Auto-Fix Keys**: Automatically replace hardcoded keys with environment variables
+- �🔒 **Git Hooks Integration**: Automatic pre-commit scanning to prevent leaks
+- 🤖 **AI-Powered README**: Generate professional documentation using Google's Gemini API
+- ⚡ **Fast Scanning**: Efficient file parsing with configurable ignore patterns
+- 🌈 **Clear Output**: Color-coded results with detailed reporting
+- 📋 **Multiple Formats**: Support for JS, TS, Python, JSON, YAML, ENV files, and more
 
-**Prerequisites:**
+## 📋 CLI Commands
 
-*   Node.js (v14 or higher)
-*   npm (v6 or higher)
+### Scan for API Keys
+```bash
+# Scan current directory
+api-key-guard scan
+
+# Scan specific path
+api-key-guard scan --path ./src
 
-Install `api-key-guard` globally using npm:
+# Verbose output with pattern details
+api-key-guard scan --verbose
+```
 
+### Fix Hardcoded Keys
 ```bash
-npm install -g api-key-guard
+# Automatically fix hardcoded API keys
+api-key-guard fix
+
+# Preview fixes without applying
+api-key-guard fix --dry-run
+
+# Fix specific file only
+api-key-guard fix --file src/config.js
+
+# Fix without creating backups
+api-key-guard fix --no-backup
 ```
 
-Verify the installation by checking the version:
+### Git Hooks Setup
+```bash
+# Install pre-commit hook
+api-key-guard setup-hooks
+```
 
+### AI README Generation
+```bash
+# Generate README.md
+api-key-guard readme
+
+# Force overwrite existing file
+api-key-guard readme --force
+
+# Custom output file
+api-key-guard readme --output DOCUMENTATION.md
+```
+
+## 🛠️ Installation
+
+**Prerequisites:** Node.js 14+ and npm
+
+```bash
+# Global installation (recommended)
+npm install -g api-key-guard
+
+# Local project installation
+npm install --save-dev api-key-guard
+```
+
+**Verify installation:**
 ```bash
 api-key-guard --version
 ```
 
+## 🔑 API Key Types Detected
+
+- **AWS Access Keys**: `AKIA...`
+- **GitHub Tokens**: `ghp_...`, `github_pat_...`
+- **Google API Keys**: `AIza...`
+- **Generic Patterns**: `api_key`, `secret_key`, `access_token`
+- **Bearer Tokens**: `Bearer ...`
+- **Custom Patterns**: High-entropy strings
+
+## 🤖 AI README Generation
+
+The `readme` command uses Google's Gemini API to generate comprehensive documentation:
+
+### Setup
+1. Get API key from [Google AI Studio](https://makersuite.google.com/app/apikey)
+2. Set environment variable:
+   ```bash
+   export GEMINI_API_KEY=your_api_key_here
+   ```
+
+### Generated Content
+- Project overview and description
+- Installation instructions
+- Usage examples and CLI documentation
+- Security best practices
+- Contributing guidelines
+
+## ⚙️ Configuration
+
+Create `.api-key-guard.json` in your project root:
+
+```json
+{
+  "ignorePatterns": [
+    "node_modules/**",
+    "dist/**",
+    "*.min.js",
+    "test/**/*.fixture.js"
+  ],
+  "customPatterns": [
+    {
+      "name": "Custom API Key",
+      "pattern": "custom_key_[0-9a-f]{32}"
+    }
+  ]
+}
+```
+
+## 🔐 Git Hooks
+
+The `setup-hooks` command creates a pre-commit hook that:
+
+1. Scans staged files for API keys
+2. Blocks commits if leaks are detected  
+3. Provides clear feedback on detected patterns
+4. Allows bypass with `--no-verify` if needed
+
+## 🛡️ Security Features
+
+- **Zero Storage**: API keys are never stored or logged
+- **Environment Variables**: Secure handling of authentication tokens
+- **Pattern Matching**: Regular expressions detect common key formats
+- **Entropy Analysis**: Identifies high-entropy strings that may be secrets
+- **Configurable Scanning**: Customize patterns and ignore rules
+
+## 📊 Usage Examples
+
+**Basic Scanning:**
+```bash
+api-key-guard scan
+# ✅ No potential API key leaks detected!
+```
+
+**With API Key Detection:**
+```bash
+api-key-guard scan --verbose
+# 🚨 Found 2 potential API key leak(s):
+#   📄 src/config.js:15
+#      Pattern: AKIA1234567890ABCDEF
+#   📄 .env.example:3  
+#      Pattern: sk-1234567890abcdef...
+```
+
+**Automatic Key Fixing:**
+```bash
+api-key-guard fix --dry-run
+# 📋 Found 3 fixable API key(s):
+#   📄 src/config.js:15
+#     const apiKey = "sk-1234567890abcdef"
+#     → const apiKey = process.env.API_KEY
+#   
+#   📄 src/auth.js:8
+#     const token = "ghp_abcdefghijklmnop"
+#     → const token = process.env.GITHUB_TOKEN
+
+# Apply fixes
+api-key-guard fix
+# 🔧 Applying fixes...
+# ✅ Successfully fixed 3 API keys!
+# 📝 Updated 2 file(s)
+# 🔐 Added 3 environment variable(s)
+```
+
+## 🤝 Contributing
+
+1. Fork the repository
+2. Create a feature branch: `git checkout -b feature/amazing-feature`
+3. Commit changes: `git commit -m 'Add amazing feature'`
+4. Push to branch: `git push origin feature/amazing-feature`
+5. Open a Pull Request
+
+## 📄 License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+
+## 🙋‍♂️ Support
+
+- 📖 [Documentation](https://www.npmjs.com/package/api-key-guard)
+- 🐛 [Report Issues](https://github.com/yourusername/api-key-guard/issues)
+- 💬 [Discussions](https://github.com/yourusername/api-key-guard/discussions)
+
+---
+
+**Made with ❤️ for developer security**
+npm install --save-dev api-key-guard
+```
+
 ## 🚀 CLI Usage Examples
 
-`api-key-guard` provides a simple yet powerful command-line interface.
+`api-key-guard` provides several commands for different use cases.
 
-### 1. `api-key-guard scan` - Scan your codebase for API keys
+### 🔍 `api-key-guard scan` - Detect API Keys
 
-Scan a directory or specific files for potential API key leaks.
+Scans your project for potential API key leaks.
 
-#### Basic Scan of Current Directory:
+**Basic Scan (current directory):**
 
 ```bash
 api-key-guard scan .
 ```
 
-#### Scan a Specific File:
+**Scan a specific directory:**
+
+```bash
+api-key-guard scan src/
+```
+
+**Scan a specific file:**
+
+```bash
+api-key-guard scan config/secrets.js
+```
+
+**Verbose output (shows more details about detection):**
+
+```bash
+api-key-guard scan . --verbose
+```
+
+**Fail on leak (exit with a non-zero code if leaks are found, useful for CI/CD):**
+
+```bash
+api-key-guard scan . --fail-on-leak
+```
+
+**Include specific file types (comma-separated):**
+
+```bash
+api-key-guard scan . --include "*.js,*.ts,*.env"
+```
+
+**Exclude specific file types (comma-separated):**
+
+```bash
+api-key-guard scan . --exclude "*.min.js,*.lock"
+```
+
+**Ignore files or directories using patterns (shell-like glob patterns):**
+
+```bash
+api-key-guard scan . --ignore-pattern "node_modules/**" --ignore-pattern "dist/*"
+```
+
+**Use a `.gitignore` file for ignore patterns:**
+
+```bash
+api-key-guard scan . --ignore-file .gitignore
+```
+
+**Combine options:**
+
+```bash
+api-key-guard scan src/ --fail-on-leak --verbose --ignore-file .gitignore --include "*.js,*.ts"
+```
+
+### 🎣 `api-key-guard setup-hooks` - Integrate Git Hooks
+
+Sets up Git pre-commit and/or pre-push hooks to automatically scan for keys before commits or pushes.
+
+**Set up pre-commit hook (default):**
+
+```bash
+api-key-guard setup-hooks
+```
+
+This will configure your local `.git/hooks/pre-commit` script to run `api-key-guard scan --fail-on-leak` on staged files.
+
+**Set up pre-push hook:**
+
+```bash
+api-key-guard setup-hooks --hook pre-push
+```
+
+This will configure your local `.git/hooks/pre-push` script to run `api-key-guard scan --fail-on-leak` on all changes being pushed.
+
+**Remove existing hooks (if you need to clean up):**
 
 ```bash
-api-key-guard scan src/utils/api.js
+api-key-guard setup-hooks --remove
 ```
 
-#### Scan a Specific Directory with
+### 📝 `api-key-guard readme` - Generate READMEs with AI
+
+Leverages AI to help you generate a professional README.md for your project. (Requires an active internet connection and potentially an API key for the AI service, configured via environment variables).
+
+**Generate a README with a prompt:**
+
+```bash
+api-key-guard readme "Generate a README for a Node.js CLI tool that detects API keys, focusing on its security benefits and ease of use."
+```
+
+**Generate and save to a specific file:**
+
+```bash
+api-key-guard readme --output docs/PROJECT_README.md "Generate a simple README for a web application using React and Node.js."
+```
+
+## 🎣 Git Hooks Usage
+
+Once you've set up Git hooks using `api-key-guard setup-hooks`, the tool will automatically run during your `git commit` or `git push` operations.
+
+**Example of a pre-commit hook in action:**
+
+1.  You have `api-key-guard` pre-commit hook enabled.
+2.  You accidentally add a file containing a hardcoded API key:
+    ```javascript
+    // src/config.js
+    const API_KEY = "sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; // BAD PRACTICE!
+    ```
+3.  You stage the file:
+    ```bash
+    git add src/config.js
+    ```
+4.  You try to commit:
+    ```bash
+    git commit -m "Add new config"
+    ```
+5.  `api-key-guard` will detect the leak, prevent the commit, and display a warning:
+    ```
+    🚨 api-key-guard: Potential API key leak detected in staged files! 🚨
+    Path: src/config.js
+    Line 2: const API_KEY = "sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
+    
+    Commit aborted. Please remove or secure the sensitive information.
+    If you need to bypass, use 'git commit --no-verify'.
+    ```
+
+To bypass the hook for a single commit (use with extreme caution!):
+
+```bash
+git commit -m "Temporary commit, will fix secrets later" --no-verify
+```
+
+## ⚙️ Configuration
+
+`api-key-guard` can be configured using a `api-key-guard.config.json` file at the root of your project. This allows you to define custom rules, ignore patterns, and scanner settings.
+
+**Example `api-key-guard.config.json`:**
+
+```json
+{
+  "scanPaths": [
+    "src/",
+    "config/",
+    "server/"
+  ],
+  "ignorePatterns": [
+    "node_modules/**",
+    "dist/**",
+    "*.min.js",
+    "*.log",
+    "testdata/**"
+  ],
+  "ignoreFiles": [
+    ".gitignore",
+    ".dockerignore"
+  ],
+  "includeFileTypes": [
+    "*.js",
+    "*.ts",
+    "*.env",
+    "*.json",
+    "*.yaml",
+    "*.yml"
+  ],
+  "excludeFileTypes": [
+    "*.lock",
+    "package-lock.json"
+  ],
+  "customRules": [
+    {
+      "name": "Custom-API-Key",
+      "regex": "MY_CUSTOM_API_KEY_[a-zA-Z0-9]{32,64}",
+      "description": "Detects specific internal API keys."
+    }
+  ],
+  "failOnLeak": true,
+  "verbose": false
+}
+```
+
+*   **`scanPaths`**: An array of glob patterns for directories or files to explicitly scan. If empty, the current directory (`.`) is scanned.
+*   **`ignorePatterns`**: An array of glob patterns for files or directories to ignore during scanning.
+*   **`ignoreFiles`**: An array of filenames (e.g., `.gitignore`) whose contents will be used as additional ignore patterns.
+*   **`includeFileTypes`**: An array of glob patterns for file types to explicitly include. If specified, only these types will be scanned.
+*   **`excludeFileTypes`**: An array of glob patterns for file types to explicitly exclude.
+*   **`customRules`**: An array of custom regex rules for detecting specific patterns. Each rule should have a `name`, `regex`, and `description`.
+*   **`failOnLeak`**: Boolean. If `true`, the CLI will exit with a non-zero code if any leaks are found.
+*   **`verbose`**: Boolean. If `true`, more detailed output will be provided.
+
+## 🔒 Security Best Practices
+
+While `api-key-guard` is a powerful tool, it's part of a broader security strategy. Always adhere to these best practices:
+
+*   **🚫 Never Hardcode Secrets:** The golden rule. Avoid placing API keys, passwords, or sensitive tokens directly in your code.
+*   **🌳 Use Environment Variables:** For development and deployment, load secrets from environment variables (e.g., using `.env` files locally and proper environment variable injection in production).
+*   **🔐 Employ Secret Management Services:** For production environments, utilize dedicated secret management services like AWS Secrets Manager, Azure Key Vault, Google Secret Manager, HashiCorp Vault, or similar.
+*   **🔑 Implement Least Privilege:** Grant API keys only the minimum necessary permissions required for their function.
+*   **🔄 Rotate Keys Regularly:** Periodically change your API keys, especially if they are long-lived.
+*   **📚 Educate Your Team:** Ensure all developers understand the risks of secret exposure and the proper procedures for handling sensitive information.
+*   **⚙️ Integrate into CI/CD:** Incorporate `api-key-guard` scans into your Continuous Integration/Continuous Deployment pipelines to catch leaks before deployment.
+
+`api-key-guard` helps you catch mistakes, but proactive secure coding practices are paramount.
+
+## 🛣️ Future Roadmap
+
+We are continuously working to enhance `api-key-guard`. Here are some planned features:
+
+*   **Advanced Entropy Analysis:** Improve detection of generic high-entropy strings that might indicate secrets without specific patterns.
+*   **Machine Learning-Based Detection:** Explore ML models for more intelligent and adaptive secret detection.
+*   **Cloud Provider Integrations:** Direct integrations with AWS, Azure, GCP for scanning cloud-specific credential formats.
+*   **Reporting & Alerting:** Generate detailed reports and integrate with alerting systems (e.g., Slack, email) when leaks are detected in CI/CD.
+*   **Support for More Secret Types:** Expand detection to include private keys, database connection strings, access tokens, etc.
+*   **IDE Extensions:** Develop extensions for popular IDEs (VS Code, IntelliJ) for real-time feedback.
+*   **Web UI for Centralized Management:** A future goal for larger teams to manage configurations and view scan results centrally.
+
+## 🤝 Contributing
+
+We welcome contributions to `api-key-guard`! Whether it's bug reports, feature requests, or code contributions, your help is valuable.
+
+1.  **Report Bugs:** If you find a bug, please open an issue on GitHub, providing detailed steps to reproduce, expected behavior, and actual behavior.
+2.  **Suggest Features:** Have an idea for a new feature or improvement? Open an issue to discuss it.
+3.  **Code Contributions:**
+    *   Fork the repository.
+    *   Create a new branch (`git checkout -b feature/your-feature-name` or `fix/bug-fix-description`).
+    *   Make your changes.
+    *   Write tests for your changes.
+    *   Ensure your code adheres to the project's coding style.
+    *   Commit your changes (`git commit -m "feat: Add new feature"`) using conventional commits.
+    *   Push to your fork (`git push origin feature/your-feature-name`).
+    *   Open a Pull Request to the `main` branch of the original repository.
+
+Please adhere to our Code of Conduct.
+
+## 📄 License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+```

package/bin/cli.js

@@ -5,6 +5,7 @@ const chalk = require('chalk');
 const { generateReadme } = require('../src/readmeGenerator');
 const { scanForApiKeys } = require('../src/scanner');
 const { setupGitHooks } = require('../src/gitHooks');
+const { fixApiKeys } = require('../src/keyFixer');
 
 const program = new Command();
 
@@ -59,4 +60,22 @@ program
     }
   });
 
+// Fix API keys command
+program
+  .command('fix')
+  .description('Automatically replace hardcoded API keys with environment variables')
+  .option('-p, --path <path>', 'Path to scan and fix', '.')
+  .option('-d, --dry-run', 'Preview changes without applying them')
+  .option('-f, --file <file>', 'Fix specific file only')
+  .option('--backup', 'Create backup files before fixing', true)
+  .action(async (options) => {
+    try {
+      console.log(chalk.blue('🔧 Fixing hardcoded API keys...'));
+      await fixApiKeys(options);
+    } catch (error) {
+      console.error(chalk.red('Error fixing keys:', error.message));
+      process.exit(1);
+    }
+  });
+
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "api-key-guard",
-  "version": "1.0.3",
+  "version": "1.1.0",
   "description": "A comprehensive tool to detect, prevent, and manage API key leaks in your codebase with AI-powered README generation",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -1,9 +1,11 @@
 const { scanForApiKeys } = require('./scanner');
 const { setupGitHooks } = require('./gitHooks');
 const { generateReadme } = require('./readmeGenerator');
+const { fixApiKeys } = require('./keyFixer');
 
 module.exports = {
   scanForApiKeys,
   setupGitHooks,
-  generateReadme
+  generateReadme,
+  fixApiKeys
 };

package/src/keyFixer.js

@@ -0,0 +1,406 @@
+const fs = require('fs').promises;
+const path = require('path');
+const chalk = require('chalk');
+const readline = require('readline');
+
+/**
+ * Fix hardcoded API keys by replacing them with environment variables
+ */
+async function fixApiKeys(options = {}) {
+  const scanPath = options.path || '.';
+  const dryRun = options.dryRun || false;
+  const specificFile = options.file;
+  const createBackup = options.backup !== false;
+
+  console.log(chalk.blue(`🔍 Scanning for fixable API keys in ${scanPath}...`));
+
+  const findings = await scanForFixableKeys(scanPath, specificFile);
+  
+  if (findings.length === 0) {
+    console.log(chalk.green('✅ No fixable API keys found!'));
+    return;
+  }
+
+  console.log(chalk.yellow(`📋 Found ${findings.length} fixable API key(s):`));
+  findings.forEach(finding => {
+    console.log(chalk.cyan(`  📄 ${finding.file}:${finding.line}`));
+    console.log(chalk.gray(`     ${finding.originalLine.trim()}`));
+    console.log(chalk.green(`     → ${finding.fixedLine.trim()}`));
+  });
+
+  if (dryRun) {
+    console.log(chalk.blue('\n🔍 Dry run complete. No changes were made.'));
+    console.log(chalk.gray('Run without --dry-run to apply fixes.'));
+    return;
+  }
+
+  const shouldProceed = await promptConfirmation(
+    `\n❓ Apply these ${findings.length} fixes? (y/N): `
+  );
+
+  if (!shouldProceed) {
+    console.log(chalk.yellow('Operation cancelled.'));
+    return;
+  }
+
+  console.log(chalk.blue('🔧 Applying fixes...'));
+  
+  const results = await applyFixes(findings, createBackup);
+  await updateEnvironmentFiles(results.envVars);
+  await updateGitignore();
+
+  console.log(chalk.green(`✅ Successfully fixed ${results.fixedCount} API keys!`));
+  console.log(chalk.blue(`📝 Updated ${results.filesModified} file(s)`));
+  console.log(chalk.blue(`🔐 Added ${results.envVars.length} environment variable(s)`));
+  
+  if (createBackup) {
+    console.log(chalk.gray(`💾 Backup files created with .backup extension`));
+  }
+  
+  console.log(chalk.yellow('\n⚠️  Next steps:'));
+  console.log(chalk.yellow('   1. Review the generated .env file'));
+  console.log(chalk.yellow('   2. Add .env to your .gitignore (done automatically)'));
+  console.log(chalk.yellow('   3. Update your deployment with the new environment variables'));
+}
+
+/**
+ * Scan for API keys that can be automatically fixed
+ */
+async function scanForFixableKeys(scanPath, specificFile) {
+  const findings = [];
+  
+  // Key patterns that can be fixed automatically
+  const fixablePatterns = [
+    {
+      name: 'JavaScript/TypeScript API Key Assignment',
+      pattern: /^(\s*)(const|let|var)\s+(\w+)\s*=\s*['"`]([A-Za-z0-9_\-]{20,})['"`]/gm,
+      language: 'javascript',
+      envVarNamer: (varName) => varName.replace(/([a-z])([A-Z])/g, '$1_$2').toUpperCase()
+    },
+    {
+      name: 'Python API Key Assignment',
+      pattern: /^(\s*)(\w+)\s*=\s*['"`]([A-Za-z0-9_\-]{20,})['"`]/gm,
+      language: 'python',
+      envVarNamer: (varName) => varName.replace(/([a-z])([A-Z])/g, '$1_$2').upper()
+    },
+    {
+      name: 'JSON Configuration',
+      pattern: /"(\w*[Kk]ey\w*|token|secret)"\s*:\s*"([A-Za-z0-9_\-]{20,})"/gm,
+      language: 'json',
+      envVarNamer: (keyName) => keyName.replace(/([a-z])([A-Z])/g, '$1_$2').toUpperCase()
+    }
+  ];
+
+  const files = specificFile ? [specificFile] : await getFilesRecursively(scanPath);
+  
+  for (const file of files) {
+    try {
+      const content = await fs.readFile(file, 'utf8');
+      const lines = content.split('\n');
+      
+      for (const patternConfig of fixablePatterns) {
+        let match;
+        patternConfig.pattern.lastIndex = 0; // Reset regex
+        
+        while ((match = patternConfig.pattern.exec(content)) !== null) {
+          const lineNumber = content.substring(0, match.index).split('\n').length;
+          const originalLine = lines[lineNumber - 1];
+          
+          let envVarName, fixedLine;
+          
+          if (patternConfig.language === 'javascript') {
+            const [, indent, declaration, varName, keyValue] = match;
+            envVarName = patternConfig.envVarNamer(varName);
+            fixedLine = `${indent}${declaration} ${varName} = process.env.${envVarName}`;
+          } else if (patternConfig.language === 'python') {
+            const [, indent, varName, keyValue] = match;
+            envVarName = patternConfig.envVarNamer(varName);
+            fixedLine = `${indent}${varName} = os.getenv('${envVarName}')`;
+          } else if (patternConfig.language === 'json') {
+            const [fullMatch, keyName, keyValue] = match;
+            envVarName = patternConfig.envVarNamer(keyName);
+            // For JSON, we might suggest moving to a config loader
+            fixedLine = `"${keyName}": "${process.env.${envVarName} || 'YOUR_${envVarName}_HERE'}"`;
+          }
+          
+          // Only include keys that look like real API keys
+          const keyValue = patternConfig.language === 'json' ? match[2] : 
+                          patternConfig.language === 'python' ? match[3] : match[4];
+          
+          if (looksLikeApiKey(keyValue)) {
+            findings.push({
+              file: path.relative(process.cwd(), file),
+              line: lineNumber,
+              originalLine,
+              fixedLine,
+              envVarName,
+              keyValue,
+              language: patternConfig.language,
+              pattern: patternConfig.name
+            });
+          }
+        }
+      }
+    } catch (error) {
+      // Skip files we can't read
+      continue;
+    }
+  }
+  
+  return findings;
+}
+
+/**
+ * Apply the fixes to files
+ */
+async function applyFixes(findings, createBackup) {
+  const results = {
+    fixedCount: 0,
+    filesModified: 0,
+    envVars: []
+  };
+  
+  const fileGroups = groupFindingsByFile(findings);
+  
+  for (const [filePath, fileFindings] of Object.entries(fileGroups)) {
+    try {
+      const fullPath = path.resolve(filePath);
+      const content = await fs.readFile(fullPath, 'utf8');
+      const lines = content.split('\n');
+      
+      // Create backup if requested
+      if (createBackup) {
+        await fs.writeFile(`${fullPath}.backup`, content, 'utf8');
+      }
+      
+      // Apply fixes (in reverse order to maintain line numbers)
+      const sortedFindings = fileFindings.sort((a, b) => b.line - a.line);
+      
+      for (const finding of sortedFindings) {
+        lines[finding.line - 1] = finding.fixedLine;
+        results.fixedCount++;
+        
+        // Collect environment variables
+        results.envVars.push({
+          name: finding.envVarName,
+          value: finding.keyValue,
+          comment: `# ${finding.pattern} from ${finding.file}:${finding.line}`
+        });
+      }
+      
+      // Write the fixed content
+      await fs.writeFile(fullPath, lines.join('\n'), 'utf8');
+      results.filesModified++;
+      
+    } catch (error) {
+      console.error(chalk.red(`Error fixing ${filePath}: ${error.message}`));
+    }
+  }
+  
+  return results;
+}
+
+/**
+ * Update or create environment files
+ */
+async function updateEnvironmentFiles(envVars) {
+  const envPath = path.join(process.cwd(), '.env');
+  const envExamplePath = path.join(process.cwd(), '.env.example');
+  
+  // Read existing .env file if it exists
+  let existingEnvContent = '';
+  try {
+    existingEnvContent = await fs.readFile(envPath, 'utf8');
+  } catch (error) {
+    // File doesn't exist, will create new
+  }
+  
+  // Prepare new environment variables
+  const newEnvLines = [];
+  const exampleLines = [];
+  
+  for (const envVar of envVars) {
+    // Only add if not already in .env file
+    if (!existingEnvContent.includes(`${envVar.name}=`)) {
+      newEnvLines.push('');
+      newEnvLines.push(envVar.comment);
+      newEnvLines.push(`${envVar.name}=${envVar.value}`);
+      
+      // Add to example file (without real values)
+      exampleLines.push('');
+      exampleLines.push(envVar.comment);
+      exampleLines.push(`${envVar.name}=your_${envVar.name.toLowerCase()}_here`);
+    }
+  }
+  
+  if (newEnvLines.length > 0) {
+    // Append to .env file
+    const updatedContent = existingEnvContent + '\n# Added by api-key-guard fix command' + newEnvLines.join('\n') + '\n';
+    await fs.writeFile(envPath, updatedContent, 'utf8');
+    
+    // Create/update .env.example
+    let exampleContent = '';
+    try {
+      exampleContent = await fs.readFile(envExamplePath, 'utf8');
+    } catch (error) {
+      exampleContent = '# Environment variables template\n# Copy to .env and fill with real values\n';
+    }
+    
+    const updatedExampleContent = exampleContent + '\n# Added by api-key-guard fix command' + exampleLines.join('\n') + '\n';
+    await fs.writeFile(envExamplePath, updatedExampleContent, 'utf8');
+  }
+}
+
+/**
+ * Update .gitignore to include .env
+ */
+async function updateGitignore() {
+  const gitignorePath = path.join(process.cwd(), '.gitignore');
+  
+  try {
+    let gitignoreContent = '';
+    try {
+      gitignoreContent = await fs.readFile(gitignorePath, 'utf8');
+    } catch (error) {
+      // File doesn't exist, create new
+      gitignoreContent = '';
+    }
+    
+    // Check if .env is already ignored
+    if (!gitignoreContent.includes('.env') || !gitignoreContent.includes('*.env')) {
+      const envIgnoreRules = [
+        '\n# Environment variables (added by api-key-guard)',
+        '.env',
+        '.env.local',
+        '.env.*.local',
+        '*.env\n'
+      ];
+      
+      const updatedContent = gitignoreContent + envIgnoreRules.join('\n');
+      await fs.writeFile(gitignorePath, updatedContent, 'utf8');
+    }
+  } catch (error) {
+    console.warn(chalk.yellow('Warning: Could not update .gitignore'));
+  }
+}
+
+/**
+ * Check if a string looks like a real API key
+ */
+function looksLikeApiKey(str) {
+  // Basic heuristics for API keys
+  const minLength = 20;
+  const hasLettersAndNumbers = /[a-zA-Z]/.test(str) && /[0-9]/.test(str);
+  const notCommonWords = !['example', 'test', 'demo', 'sample', 'placeholder', 'your'].some(word => 
+    str.toLowerCase().includes(word));
+  
+  return str.length >= minLength && hasLettersAndNumbers && notCommonWords;
+}
+
+/**
+ * Group findings by file path
+ */
+function groupFindingsByFile(findings) {
+  const groups = {};
+  for (const finding of findings) {
+    if (!groups[finding.file]) {
+      groups[finding.file] = [];
+    }
+    groups[finding.file].push(finding);
+  }
+  return groups;
+}
+
+/**
+ * Get all files recursively, respecting ignore patterns
+ */
+async function getFilesRecursively(dir, ignorePatterns = []) {
+  let files = [];
+  
+  const defaultIgnores = [
+    'node_modules', '.git', 'dist', 'build', '.next', 'coverage',
+    '*.min.js', '*.bundle.js', 'package-lock.json', 'yarn.lock'
+  ];
+  
+  const allIgnores = [...defaultIgnores, ...ignorePatterns];
+  
+  try {
+    const entries = await fs.readdir(dir, { withFileTypes: true });
+    
+    for (const entry of entries) {
+      const fullPath = path.join(dir, entry.name);
+      
+      // Check if should be ignored
+      if (shouldIgnore(entry.name, fullPath, allIgnores)) {
+        continue;
+      }
+      
+      if (entry.isDirectory()) {
+        files = files.concat(await getFilesRecursively(fullPath, ignorePatterns));
+      } else {
+        // Only scan text files that might contain code
+        if (isCodeFile(entry.name)) {
+          files.push(fullPath);
+        }
+      }
+    }
+  } catch (error) {
+    // Skip directories we can't read
+  }
+  
+  return files;
+}
+
+/**
+ * Check if file should be ignored
+ */
+function shouldIgnore(name, fullPath, ignorePatterns) {
+  for (const pattern of ignorePatterns) {
+    if (pattern.includes('*')) {
+      const regex = new RegExp(pattern.replace(/\*/g, '.*'));
+      if (regex.test(name)) {
+        return true;
+      }
+    } else {
+      if (name === pattern || fullPath.includes(pattern)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+/**
+ * Check if file is a code file that might contain API keys
+ */
+function isCodeFile(filename) {
+  const codeExtensions = [
+    '.js', '.ts', '.jsx', '.tsx', '.py', '.java', '.go', '.php', '.rb', 
+    '.cs', '.cpp', '.c', '.h', '.rs', '.swift', '.kt', '.scala',
+    '.json', '.yml', '.yaml', '.xml', '.env', '.config', '.conf'
+  ];
+  
+  const ext = path.extname(filename).toLowerCase();
+  return codeExtensions.includes(ext) || !ext; // Include files without extensions
+}
+
+/**
+ * Prompt user for confirmation
+ */
+function promptConfirmation(question) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes');
+    });
+  });
+}
+
+module.exports = {
+  fixApiKeys
+};

package/src/readmeGenerator.js

@@ -108,7 +108,7 @@ async function generateWithGemini(apiKey, projectContext) {
           temperature: 0.7,
           topK: 40,
           topP: 0.95,
-          maxOutputTokens: 2048,
+          maxOutputTokens: 8192,
         },
         safetySettings: [
           {