api-key-guard 1.0.5 → 1.1.1

package/README.md

@@ -35,7 +35,8 @@ API key leaks in code repositories are a critical security vulnerability that ca
 ## ✨ Features
 
 - 🔍 **Smart Detection**: Advanced regex patterns detect AWS keys, GitHub tokens, Google API keys, and more
-- 🔒 **Git Hooks Integration**: Automatic pre-commit scanning to prevent leaks
+- � **Auto-Fix Keys**: Automatically replace hardcoded keys with environment variables
+- �🔒 **Git Hooks Integration**: Automatic pre-commit scanning to prevent leaks
 - 🤖 **AI-Powered README**: Generate professional documentation using Google's Gemini API
 - ⚡ **Fast Scanning**: Efficient file parsing with configurable ignore patterns
 - 🌈 **Clear Output**: Color-coded results with detailed reporting
@@ -55,6 +56,21 @@ api-key-guard scan --path ./src
 api-key-guard scan --verbose
 ```
 
+### Fix Hardcoded Keys
+```bash
+# Automatically fix hardcoded API keys
+api-key-guard fix
+
+# Preview fixes without applying
+api-key-guard fix --dry-run
+
+# Fix specific file only
+api-key-guard fix --file src/config.js
+
+# Fix without creating backups
+api-key-guard fix --no-backup
+```
+
 ### Git Hooks Setup
 ```bash
 # Install pre-commit hook
@@ -173,6 +189,26 @@ api-key-guard scan --verbose
 #      Pattern: sk-1234567890abcdef...
 ```
 
+**Automatic Key Fixing:**
+```bash
+api-key-guard fix --dry-run
+# 📋 Found 3 fixable API key(s):
+#   📄 src/config.js:15
+#     const apiKey = "sk-1234567890abcdef"
+#     → const apiKey = process.env.API_KEY
+#   
+#   📄 src/auth.js:8
+#     const token = "ghp_abcdefghijklmnop"
+#     → const token = process.env.GITHUB_TOKEN
+
+# Apply fixes
+api-key-guard fix
+# 🔧 Applying fixes...
+# ✅ Successfully fixed 3 API keys!
+# 📝 Updated 2 file(s)
+# 🔐 Added 3 environment variable(s)
+```
+
 ## 🤝 Contributing
 
 1. Fork the repository

package/bin/cli.js

@@ -5,6 +5,7 @@ const chalk = require('chalk');
 const { generateReadme } = require('../src/readmeGenerator');
 const { scanForApiKeys } = require('../src/scanner');
 const { setupGitHooks } = require('../src/gitHooks');
+const { fixApiKeys } = require('../src/keyFixer');
 
 const program = new Command();
 
@@ -59,4 +60,22 @@ program
     }
   });
 
+// Fix API keys command
+program
+  .command('fix')
+  .description('Automatically replace hardcoded API keys with environment variables')
+  .option('-p, --path <path>', 'Path to scan and fix', '.')
+  .option('-d, --dry-run', 'Preview changes without applying them')
+  .option('-f, --file <file>', 'Fix specific file only')
+  .option('--backup', 'Create backup files before fixing', true)
+  .action(async (options) => {
+    try {
+      console.log(chalk.blue('🔧 Fixing hardcoded API keys...'));
+      await fixApiKeys(options);
+    } catch (error) {
+      console.error(chalk.red('Error fixing keys:', error.message));
+      process.exit(1);
+    }
+  });
+
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "api-key-guard",
-  "version": "1.0.5",
+  "version": "1.1.1",
   "description": "A comprehensive tool to detect, prevent, and manage API key leaks in your codebase with AI-powered README generation",
   "main": "src/index.js",
   "bin": {

package/src/index.js

@@ -1,9 +1,11 @@
 const { scanForApiKeys } = require('./scanner');
 const { setupGitHooks } = require('./gitHooks');
 const { generateReadme } = require('./readmeGenerator');
+const { fixApiKeys } = require('./keyFixer');
 
 module.exports = {
   scanForApiKeys,
   setupGitHooks,
-  generateReadme
+  generateReadme,
+  fixApiKeys
 };

package/src/keyFixer.js

@@ -0,0 +1,406 @@
+const fs = require('fs').promises;
+const path = require('path');
+const chalk = require('chalk');
+const readline = require('readline');
+
+/**
+ * Fix hardcoded API keys by replacing them with environment variables
+ */
+async function fixApiKeys(options = {}) {
+  const scanPath = options.path || '.';
+  const dryRun = options.dryRun || false;
+  const specificFile = options.file;
+  const createBackup = options.backup !== false;
+
+  console.log(chalk.blue(`🔍 Scanning for fixable API keys in ${scanPath}...`));
+
+  const findings = await scanForFixableKeys(scanPath, specificFile);
+  
+  if (findings.length === 0) {
+    console.log(chalk.green('✅ No fixable API keys found!'));
+    return;
+  }
+
+  console.log(chalk.yellow(`📋 Found ${findings.length} fixable API key(s):`));
+  findings.forEach(finding => {
+    console.log(chalk.cyan(`  📄 ${finding.file}:${finding.line}`));
+    console.log(chalk.gray(`     ${finding.originalLine.trim()}`));
+    console.log(chalk.green(`     → ${finding.fixedLine.trim()}`));
+  });
+
+  if (dryRun) {
+    console.log(chalk.blue('\n🔍 Dry run complete. No changes were made.'));
+    console.log(chalk.gray('Run without --dry-run to apply fixes.'));
+    return;
+  }
+
+  const shouldProceed = await promptConfirmation(
+    `\n❓ Apply these ${findings.length} fixes? (y/N): `
+  );
+
+  if (!shouldProceed) {
+    console.log(chalk.yellow('Operation cancelled.'));
+    return;
+  }
+
+  console.log(chalk.blue('🔧 Applying fixes...'));
+  
+  const results = await applyFixes(findings, createBackup);
+  await updateEnvironmentFiles(results.envVars);
+  await updateGitignore();
+
+  console.log(chalk.green(`✅ Successfully fixed ${results.fixedCount} API keys!`));
+  console.log(chalk.blue(`📝 Updated ${results.filesModified} file(s)`));
+  console.log(chalk.blue(`🔐 Added ${results.envVars.length} environment variable(s)`));
+  
+  if (createBackup) {
+    console.log(chalk.gray(`💾 Backup files created with .backup extension`));
+  }
+  
+  console.log(chalk.yellow('\n⚠️  Next steps:'));
+  console.log(chalk.yellow('   1. Review the generated .env file'));
+  console.log(chalk.yellow('   2. Add .env to your .gitignore (done automatically)'));
+  console.log(chalk.yellow('   3. Update your deployment with the new environment variables'));
+}
+
+/**
+ * Scan for API keys that can be automatically fixed
+ */
+async function scanForFixableKeys(scanPath, specificFile) {
+  const findings = [];
+  
+  // Key patterns that can be fixed automatically
+  const fixablePatterns = [
+    {
+      name: 'JavaScript/TypeScript API Key Assignment',
+      pattern: /^(\s*)(const|let|var)\s+(\w+)\s*=\s*['"`]([A-Za-z0-9_\-]{20,})['"`]/gm,
+      language: 'javascript',
+      envVarNamer: (varName) => varName.replace(/([a-z])([A-Z])/g, '$1_$2').toUpperCase()
+    },
+    {
+      name: 'Python API Key Assignment',
+      pattern: /^(\s*)(\w+)\s*=\s*['"`]([A-Za-z0-9_\-]{20,})['"`]/gm,
+      language: 'python',
+      envVarNamer: (varName) => varName.replace(/([a-z])([A-Z])/g, '$1_$2').upper()
+    },
+    {
+      name: 'JSON Configuration',
+      pattern: /"(\w*[Kk]ey\w*|token|secret)"\s*:\s*"([A-Za-z0-9_\-]{20,})"/gm,
+      language: 'json',
+      envVarNamer: (keyName) => keyName.replace(/([a-z])([A-Z])/g, '$1_$2').toUpperCase()
+    }
+  ];
+
+  const files = specificFile ? [specificFile] : await getFilesRecursively(scanPath);
+  
+  for (const file of files) {
+    try {
+      const content = await fs.readFile(file, 'utf8');
+      const lines = content.split('\n');
+      
+      for (const patternConfig of fixablePatterns) {
+        let match;
+        patternConfig.pattern.lastIndex = 0; // Reset regex
+        
+        while ((match = patternConfig.pattern.exec(content)) !== null) {
+          const lineNumber = content.substring(0, match.index).split('\n').length;
+          const originalLine = lines[lineNumber - 1];
+          
+          let envVarName, fixedLine;
+          
+          if (patternConfig.language === 'javascript') {
+            const [, indent, declaration, varName, keyValue] = match;
+            envVarName = patternConfig.envVarNamer(varName);
+            fixedLine = `${indent}${declaration} ${varName} = process.env.${envVarName}`;
+          } else if (patternConfig.language === 'python') {
+            const [, indent, varName, keyValue] = match;
+            envVarName = patternConfig.envVarNamer(varName);
+            fixedLine = `${indent}${varName} = os.getenv('${envVarName}')`;
+          } else if (patternConfig.language === 'json') {
+            const [fullMatch, keyName, keyValue] = match;
+            envVarName = patternConfig.envVarNamer(keyName);
+            // For JSON, we might suggest moving to a config loader
+            fixedLine = `"${keyName}": "\\$\\{process.env.${envVarName} || 'YOUR_${envVarName}_HERE'\\}"`;
+          }
+          
+          // Only include keys that look like real API keys
+          const keyValue = patternConfig.language === 'json' ? match[2] : 
+                          patternConfig.language === 'python' ? match[3] : match[4];
+          
+          if (looksLikeApiKey(keyValue)) {
+            findings.push({
+              file: path.relative(process.cwd(), file),
+              line: lineNumber,
+              originalLine,
+              fixedLine,
+              envVarName,
+              keyValue,
+              language: patternConfig.language,
+              pattern: patternConfig.name
+            });
+          }
+        }
+      }
+    } catch (error) {
+      // Skip files we can't read
+      continue;
+    }
+  }
+  
+  return findings;
+}
+
+/**
+ * Apply the fixes to files
+ */
+async function applyFixes(findings, createBackup) {
+  const results = {
+    fixedCount: 0,
+    filesModified: 0,
+    envVars: []
+  };
+  
+  const fileGroups = groupFindingsByFile(findings);
+  
+  for (const [filePath, fileFindings] of Object.entries(fileGroups)) {
+    try {
+      const fullPath = path.resolve(filePath);
+      const content = await fs.readFile(fullPath, 'utf8');
+      const lines = content.split('\n');
+      
+      // Create backup if requested
+      if (createBackup) {
+        await fs.writeFile(`${fullPath}.backup`, content, 'utf8');
+      }
+      
+      // Apply fixes (in reverse order to maintain line numbers)
+      const sortedFindings = fileFindings.sort((a, b) => b.line - a.line);
+      
+      for (const finding of sortedFindings) {
+        lines[finding.line - 1] = finding.fixedLine;
+        results.fixedCount++;
+        
+        // Collect environment variables
+        results.envVars.push({
+          name: finding.envVarName,
+          value: finding.keyValue,
+          comment: `# ${finding.pattern} from ${finding.file}:${finding.line}`
+        });
+      }
+      
+      // Write the fixed content
+      await fs.writeFile(fullPath, lines.join('\n'), 'utf8');
+      results.filesModified++;
+      
+    } catch (error) {
+      console.error(chalk.red(`Error fixing ${filePath}: ${error.message}`));
+    }
+  }
+  
+  return results;
+}
+
+/**
+ * Update or create environment files
+ */
+async function updateEnvironmentFiles(envVars) {
+  const envPath = path.join(process.cwd(), '.env');
+  const envExamplePath = path.join(process.cwd(), '.env.example');
+  
+  // Read existing .env file if it exists
+  let existingEnvContent = '';
+  try {
+    existingEnvContent = await fs.readFile(envPath, 'utf8');
+  } catch (error) {
+    // File doesn't exist, will create new
+  }
+  
+  // Prepare new environment variables
+  const newEnvLines = [];
+  const exampleLines = [];
+  
+  for (const envVar of envVars) {
+    // Only add if not already in .env file
+    if (!existingEnvContent.includes(`${envVar.name}=`)) {
+      newEnvLines.push('');
+      newEnvLines.push(envVar.comment);
+      newEnvLines.push(`${envVar.name}=${envVar.value}`);
+      
+      // Add to example file (without real values)
+      exampleLines.push('');
+      exampleLines.push(envVar.comment);
+      exampleLines.push(`${envVar.name}=your_${envVar.name.toLowerCase()}_here`);
+    }
+  }
+  
+  if (newEnvLines.length > 0) {
+    // Append to .env file
+    const updatedContent = existingEnvContent + '\n# Added by api-key-guard fix command' + newEnvLines.join('\n') + '\n';
+    await fs.writeFile(envPath, updatedContent, 'utf8');
+    
+    // Create/update .env.example
+    let exampleContent = '';
+    try {
+      exampleContent = await fs.readFile(envExamplePath, 'utf8');
+    } catch (error) {
+      exampleContent = '# Environment variables template\n# Copy to .env and fill with real values\n';
+    }
+    
+    const updatedExampleContent = exampleContent + '\n# Added by api-key-guard fix command' + exampleLines.join('\n') + '\n';
+    await fs.writeFile(envExamplePath, updatedExampleContent, 'utf8');
+  }
+}
+
+/**
+ * Update .gitignore to include .env
+ */
+async function updateGitignore() {
+  const gitignorePath = path.join(process.cwd(), '.gitignore');
+  
+  try {
+    let gitignoreContent = '';
+    try {
+      gitignoreContent = await fs.readFile(gitignorePath, 'utf8');
+    } catch (error) {
+      // File doesn't exist, create new
+      gitignoreContent = '';
+    }
+    
+    // Check if .env is already ignored
+    if (!gitignoreContent.includes('.env') || !gitignoreContent.includes('*.env')) {
+      const envIgnoreRules = [
+        '\n# Environment variables (added by api-key-guard)',
+        '.env',
+        '.env.local',
+        '.env.*.local',
+        '*.env\n'
+      ];
+      
+      const updatedContent = gitignoreContent + envIgnoreRules.join('\n');
+      await fs.writeFile(gitignorePath, updatedContent, 'utf8');
+    }
+  } catch (error) {
+    console.warn(chalk.yellow('Warning: Could not update .gitignore'));
+  }
+}
+
+/**
+ * Check if a string looks like a real API key
+ */
+function looksLikeApiKey(str) {
+  // Basic heuristics for API keys
+  const minLength = 20;
+  const hasLettersAndNumbers = /[a-zA-Z]/.test(str) && /[0-9]/.test(str);
+  const notCommonWords = !['example', 'test', 'demo', 'sample', 'placeholder', 'your'].some(word => 
+    str.toLowerCase().includes(word));
+  
+  return str.length >= minLength && hasLettersAndNumbers && notCommonWords;
+}
+
+/**
+ * Group findings by file path
+ */
+function groupFindingsByFile(findings) {
+  const groups = {};
+  for (const finding of findings) {
+    if (!groups[finding.file]) {
+      groups[finding.file] = [];
+    }
+    groups[finding.file].push(finding);
+  }
+  return groups;
+}
+
+/**
+ * Get all files recursively, respecting ignore patterns
+ */
+async function getFilesRecursively(dir, ignorePatterns = []) {
+  let files = [];
+  
+  const defaultIgnores = [
+    'node_modules', '.git', 'dist', 'build', '.next', 'coverage',
+    '*.min.js', '*.bundle.js', 'package-lock.json', 'yarn.lock'
+  ];
+  
+  const allIgnores = [...defaultIgnores, ...ignorePatterns];
+  
+  try {
+    const entries = await fs.readdir(dir, { withFileTypes: true });
+    
+    for (const entry of entries) {
+      const fullPath = path.join(dir, entry.name);
+      
+      // Check if should be ignored
+      if (shouldIgnore(entry.name, fullPath, allIgnores)) {
+        continue;
+      }
+      
+      if (entry.isDirectory()) {
+        files = files.concat(await getFilesRecursively(fullPath, ignorePatterns));
+      } else {
+        // Only scan text files that might contain code
+        if (isCodeFile(entry.name)) {
+          files.push(fullPath);
+        }
+      }
+    }
+  } catch (error) {
+    // Skip directories we can't read
+  }
+  
+  return files;
+}
+
+/**
+ * Check if file should be ignored
+ */
+function shouldIgnore(name, fullPath, ignorePatterns) {
+  for (const pattern of ignorePatterns) {
+    if (pattern.includes('*')) {
+      const regex = new RegExp(pattern.replace(/\*/g, '.*'));
+      if (regex.test(name)) {
+        return true;
+      }
+    } else {
+      if (name === pattern || fullPath.includes(pattern)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+
+/**
+ * Check if file is a code file that might contain API keys
+ */
+function isCodeFile(filename) {
+  const codeExtensions = [
+    '.js', '.ts', '.jsx', '.tsx', '.py', '.java', '.go', '.php', '.rb', 
+    '.cs', '.cpp', '.c', '.h', '.rs', '.swift', '.kt', '.scala',
+    '.json', '.yml', '.yaml', '.xml', '.env', '.config', '.conf'
+  ];
+  
+  const ext = path.extname(filename).toLowerCase();
+  return codeExtensions.includes(ext) || !ext; // Include files without extensions
+}
+
+/**
+ * Prompt user for confirmation
+ */
+function promptConfirmation(question) {
+  return new Promise((resolve) => {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes');
+    });
+  });
+}
+
+module.exports = {
+  fixApiKeys
+};