dotenv-diff 2.4.7 → 2.4.8

package/dist/src/core/scan/secretDetectors.d.ts

@@ -0,0 +1,28 @@
+export type SecretSeverity = 'high' | 'medium' | 'low';
+export type SecretFinding = {
+    file: string;
+    line: number;
+    kind: 'pattern' | 'entropy';
+    message: string;
+    snippet: string;
+    severity: SecretSeverity;
+};
+export declare const SUSPICIOUS_KEYS: RegExp;
+export declare const PROVIDER_PATTERNS: RegExp[];
+/**
+ * Checks if a line has an ignore comment
+ * fx: // dotenv-diff-ignore or /* dotenv-diff-ignore *\/ or <!-- dotenv-diff-ignore -->
+ * @param line - The line to check
+ * @returns True if the line should be ignored
+ */
+export declare function hasIgnoreComment(line: string): boolean;
+/**
+ * Detects secrets in the source code of a file.
+ * @param file - The file path to check.
+ * @param source - The source code to scan for secrets.
+ * @returns An array of secret findings.
+ */
+export declare function detectSecretsInSource(file: string, source: string, opts?: {
+    ignoreUrls?: string[];
+}): SecretFinding[];
+//# sourceMappingURL=secretDetectors.d.ts.map

package/dist/src/core/scan/secretDetectors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretDetectors.d.ts","sourceRoot":"","sources":["../../../../src/core/scan/secretDetectors.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAGvD,MAAM,MAAM,aAAa,GAAG;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,GAAG,SAAS,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;CAC1B,CAAC;AAGF,eAAO,MAAM,eAAe,QAC6E,CAAC;AAG1G,eAAO,MAAM,iBAAiB,EAAE,MAAM,EAYrC,CAAC;AAiEF;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAUtD;AAmGD;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC/B,aAAa,EAAE,CA4HjB"}

package/dist/src/core/scan/secretDetectors.js

@@ -0,0 +1,272 @@
+import { shannonEntropyNormalized } from '../entropy.js';
+// Regular expressions for detecting suspicious keys and provider patterns
+export const SUSPICIOUS_KEYS = /\b(pass(word)?|secret|token|apikey|api_key|key|auth|bearer|private|client_secret|access[_-]?token)\b/i;
+// Regular expressions for detecting provider patterns
+export const PROVIDER_PATTERNS = [
+    /\bAKIA[0-9A-Z]{16}\b/, // AWS access key id
+    /\bASIA[0-9A-Z]{16}\b/, // AWS temp key
+    /\bghp_[0-9A-Za-z]{30,}\b/, // GitHub token
+    /\bsk_live_[0-9a-zA-Z]{24,}\b/, // Stripe live secret
+    /\bsk_test_[0-9a-zA-Z]{24,}\b/, // Stripe test secret
+    /\bAIza[0-9A-Za-z\-_]{20,}\b/, // Google API key
+    /\bya29\.[0-9A-Za-z\-_]+\b/, // Google OAuth access token
+    /\b[A-Za-z0-9_-]{21}:[A-Za-z0-9_-]{140}\b/, // Firebase token
+    /\b0x[a-fA-F0-9]{40}\b/, // Ethereum address
+    /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/, // JWT token
+    /\bAC[0-9a-fA-F]{32}\b/, // Twilio Account SID
+];
+const LONG_LITERAL = /["'`]{1}([A-Za-z0-9+/_\-]{24,})["'`]{1}/g;
+const HTTPS_PATTERN = /["'`](https?:\/\/(?!localhost)[^"'`]*)["'`]/g;
+// List of harmless URL patterns to ignore
+const HARMLESS_URLS = [
+    /https?:\/\/(www\.)?placeholder\.com/i,
+    /https?:\/\/(www\.)?example\.com/i,
+    /https?:\/\/127\.0\.0\.1(:\d+)?/i,
+    /http:\/\/www\.w3\.org\/2000\/svg/i,
+    /xmlns=["']http:\/\/www\.w3\.org\/2000\/svg["']/i, // SVG namespace
+];
+// Known harmless attribute keys commonly used in UI / analytics
+const HARMLESS_ATTRIBUTE_KEYS = /\b(trackingId|trackingContext|data-testid|data-test|aria-label)\b/i;
+/**
+ * Determines the severity of a secret finding.
+ * @param kind 'pattern' | 'entropy'
+ * @param message The message describing the finding
+ * @param literalLength The length of the literal string (if applicable)
+ * @returns The severity level of the secret finding
+ */
+function determineSeverity(kind, message, literalLength) {
+    // HIGH: Known provider key patterns
+    if (message.includes('known provider key pattern')) {
+        return 'high';
+    }
+    // HIGH: Very high-entropy long strings
+    if (kind === 'entropy' && literalLength && literalLength >= 48) {
+        return 'high';
+    }
+    // MEDIUM: Password/secret/token patterns
+    if (message.includes('password/secret/token-like')) {
+        return 'medium';
+    }
+    // MEDIUM: Medium high-entropy strings
+    if (kind === 'entropy' && literalLength && literalLength >= 32) {
+        return 'medium';
+    }
+    // MEDIUM: HTTP URLs
+    if (message.includes('HTTP URL detected')) {
+        return 'medium';
+    }
+    // LOW: HTTPS URLs
+    if (message.includes('HTTPS URL detected')) {
+        return 'low';
+    }
+    // Default to medium if we can't determine
+    return 'medium';
+}
+/**
+ * Checks if a line has an ignore comment
+ * fx: // dotenv-diff-ignore or /* dotenv-diff-ignore *\/ or <!-- dotenv-diff-ignore -->
+ * @param line - The line to check
+ * @returns True if the line should be ignored
+ */
+export function hasIgnoreComment(line) {
+    const normalized = line.trim();
+    // Allow mixed casing, extra spaces, and optional dashes
+    return (/\/\/.*dotenv[\s-]*diff[\s-]*ignore/i.test(normalized) ||
+        /\/\*.*dotenv[\s-]*diff[\s-]*ignore.*\*\//i.test(normalized) ||
+        /<!--.*dotenv[\s-]*diff[\s-]*ignore.*-->/i.test(normalized) ||
+        /\bdotenv[\s-]*diff[\s-]*ignore\b/i.test(normalized));
+}
+/**
+ * Checks if a URL should be ignored based on ignoreUrls from config.
+ * @param url - The URL that might be a potential secret
+ * @param ignoreUrls - List of URLs to ignore (from config)
+ * @returns true if the URL matches any ignore pattern
+ */
+function ignoreUrlsMatch(url, ignoreUrls) {
+    if (!ignoreUrls?.length)
+        return false;
+    // case-insensitive substring match
+    return ignoreUrls.some((pattern) => url.toLowerCase().includes(pattern.toLowerCase()));
+}
+/**
+ * Checks if a string looks like a harmless literal.
+ * @param s - The string to check.
+ * @returns True if the string looks harmless, false otherwise.
+ */
+function looksHarmlessLiteral(s) {
+    return (/\S+@\S+/.test(s) || // emails
+        /^data:[a-z]+\/[a-z0-9.+-]+;base64,/i.test(s) || // data URIs
+        /^\.{0,2}\//.test(s) || // relative paths
+        /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(s) || // UUID
+        /^[0-9a-f]{32,128}$/i.test(s) || // MD5, SHA1, SHA256, etc.
+        /^[A-Za-z0-9+/_\-]{16,20}={0,2}$/.test(s) || // short base64
+        /^[A-Za-z0-9+/_\-]*(_PUBLIC|_PRIVATE|VITE_|NEXT_PUBLIC|VUE_)[A-Za-z0-9+/_\-]*={0,2}$/.test(s) || // env-like keys
+        /^[MmZzLlHhVvCcSsQqTtAa][0-9eE+.\- ,MmZzLlHhVvCcSsQqTtAa]*$/.test(s) || // SVG path data
+        /<svg[\s\S]*?>[\s\S]*?<\/svg>/i.test(s) || // SVG markup
+        HARMLESS_URLS.some((rx) => rx.test(s)) // Allowlisted URLs
+    );
+}
+/**
+ * Checks if a line looks like a URL construction pattern.
+ * @param line - The line to check.
+ * @returns True if the line looks like URL construction, false otherwise.
+ */
+function looksLikeUrlConstruction(line) {
+    // Check for template literals or string concatenation that looks like URLs
+    return (
+    // Template literals with URL-like patterns
+    /=\s*`[^`]*\$\{[^}]+\}[^`]*\/[^`]*`/.test(line) ||
+        // String concatenation with slashes
+        /=\s*["'][^"']*\/[^"']*["']\s*\+/.test(line) ||
+        // Contains common URL patterns
+        /=\s*["'`][^"'`]*\/[^"'`]*(auth|api|login|redirect|callback|protocol)[^"'`]*\/[^"'`]*["'`]/.test(line) ||
+        // Keycloak-specific patterns
+        /realms\/.*\/protocol\/openid-connect/.test(line));
+}
+/**
+ * Checks if a file path is probably a test path.
+ * This is determined by looking for common test folder names and file extensions.
+ * @param p - The file path to check.
+ * @returns True if the file path is probably a test path, false otherwise.
+ */
+function isProbablyTestPath(p) {
+    return (/\b(__tests__|__mocks__|fixtures|sandbox|samples)\b/i.test(p) ||
+        /\.(spec|test)\.[jt]sx?$/.test(p));
+}
+/**
+ * Checks if a string is a pure interpolation template.
+ * @param s - The string to check.
+ * @returns True if the string is a pure interpolation template, false otherwise.
+ */
+function isPureInterpolationTemplate(s) {
+    // Matches templates like `${a}`, `${a}:${b}`, `${a}|${b}|${c}`
+    // i.e. no meaningful static content
+    const withoutInterpolations = s.replace(/\$\{[^}]+\}/g, '');
+    return /^[\s:|,._-]*$/.test(withoutInterpolations);
+}
+// Threshold is the value between 0 and 1 that determines the sensitivity of the detection.
+const DEFAULT_SECRET_THRESHOLD = 0.85;
+/**
+ * Optimized for sveltekit and vite env accessors
+ * @param line - A line of code to check.
+ * @returns True if the line is an environment variable accessor, false otherwise.
+ */
+function isEnvAccessor(line) {
+    return /\b(process\.env|import\.meta\.env|\$env\/(static|dynamic)\/(public|private))\b/.test(line);
+}
+/**
+ * Detects secrets in the source code of a file.
+ * @param file - The file path to check.
+ * @param source - The source code to scan for secrets.
+ * @returns An array of secret findings.
+ */
+export function detectSecretsInSource(file, source, opts) {
+    const threshold = isProbablyTestPath(file) ? 0.95 : DEFAULT_SECRET_THRESHOLD;
+    const findings = [];
+    const lines = source.split(/\r?\n/);
+    let insideIgnoreBlock = false;
+    for (let i = 0; i < lines.length; i++) {
+        const lineNo = i + 1;
+        const line = lines[i] || '';
+        if (/<!--\s*dotenv[\s-]*diff[\s-]*ignore[\s-]*start\s*-->/i.test(line)) {
+            insideIgnoreBlock = true;
+            continue;
+        }
+        if (/<!--\s*dotenv[\s-]*diff[\s-]*ignore[\s-]*end\s*-->/i.test(line)) {
+            insideIgnoreBlock = false;
+            continue;
+        }
+        // Skip if inside ignore block
+        if (insideIgnoreBlock)
+            continue;
+        // Skip comments
+        if (/^\s*\/\//.test(line))
+            continue;
+        // Check if line has ignore comment
+        if (hasIgnoreComment(line))
+            continue;
+        // Check for HTTPS URLs
+        HTTPS_PATTERN.lastIndex = 0;
+        let httpsMatch;
+        while ((httpsMatch = HTTPS_PATTERN.exec(line))) {
+            const url = httpsMatch[1] || '';
+            if (url && !looksHarmlessLiteral(url)) {
+                if (ignoreUrlsMatch(url, opts?.ignoreUrls))
+                    continue;
+                const protocol = url.startsWith('https') ? 'HTTPS' : 'HTTP';
+                findings.push({
+                    file,
+                    line: lineNo,
+                    kind: 'pattern',
+                    message: `${protocol} URL detected – consider moving to an environment variable`,
+                    snippet: line.trim().slice(0, 180),
+                    severity: protocol === 'HTTP' ? 'medium' : 'low',
+                });
+            }
+        }
+        // 1) Suspicious key literal assignments
+        if (SUSPICIOUS_KEYS.test(line)) {
+            // Ignore known harmless UI / analytics attributes
+            if (HARMLESS_ATTRIBUTE_KEYS.test(line))
+                continue;
+            const m = line.match(/=\s*["'`](.+?)["'`]/);
+            if (m &&
+                m[1] &&
+                !looksHarmlessLiteral(m[1]) &&
+                !looksLikeUrlConstruction(line) &&
+                m[1].length >= 12 &&
+                !isEnvAccessor(line) &&
+                !isPureInterpolationTemplate(m[1])) {
+                findings.push({
+                    file,
+                    line: lineNo,
+                    kind: 'pattern',
+                    message: 'matches password/secret/token-like literal assignment',
+                    snippet: line.trim().slice(0, 180),
+                    severity: 'medium',
+                });
+            }
+        }
+        // 2) Provider patterns
+        for (const rx of PROVIDER_PATTERNS) {
+            if (rx.test(line)) {
+                findings.push({
+                    file,
+                    line: lineNo,
+                    kind: 'pattern',
+                    message: 'matches known provider key pattern',
+                    snippet: line.trim().slice(0, 180),
+                    severity: 'high',
+                });
+            }
+        }
+        // 3) High-entropy long literals
+        LONG_LITERAL.lastIndex = 0;
+        let lm;
+        while ((lm = LONG_LITERAL.exec(line))) {
+            const literal = lm[1] || '';
+            if (looksHarmlessLiteral(literal))
+                continue;
+            if (literal.length < 32)
+                continue;
+            const ent = shannonEntropyNormalized(literal);
+            if (ent >= threshold) {
+                const message = `found high-entropy string (len ${literal.length}, H≈${ent.toFixed(2)})`;
+                findings.push({
+                    file,
+                    line: lineNo,
+                    kind: 'entropy',
+                    message,
+                    snippet: line.trim().slice(0, 180),
+                    severity: determineSeverity('entropy', message, literal.length),
+                });
+            }
+        }
+    }
+    const uniqueFindings = findings.filter((f, idx, arr) => idx ===
+        arr.findIndex((other) => other.file === f.file &&
+            other.line === f.line &&
+            other.snippet === f.snippet));
+    return uniqueFindings;
+}
+//# sourceMappingURL=secretDetectors.js.map

package/dist/src/core/scan/secretDetectors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretDetectors.js","sourceRoot":"","sources":["../../../../src/core/scan/secretDetectors.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAczD,0EAA0E;AAC1E,MAAM,CAAC,MAAM,eAAe,GAC1B,uGAAuG,CAAC;AAE1G,sDAAsD;AACtD,MAAM,CAAC,MAAM,iBAAiB,GAAa;IACzC,sBAAsB,EAAE,oBAAoB;IAC5C,sBAAsB,EAAE,eAAe;IACvC,0BAA0B,EAAE,eAAe;IAC3C,8BAA8B,EAAE,qBAAqB;IACrD,8BAA8B,EAAE,qBAAqB;IACrD,6BAA6B,EAAE,iBAAiB;IAChD,2BAA2B,EAAE,4BAA4B;IACzD,0CAA0C,EAAE,iBAAiB;IAC7D,uBAAuB,EAAE,mBAAmB;IAC5C,uDAAuD,EAAE,YAAY;IACrE,uBAAuB,EAAE,qBAAqB;CAC/C,CAAC;AAEF,MAAM,YAAY,GAAG,0CAA0C,CAAC;AAEhE,MAAM,aAAa,GAAG,8CAA8C,CAAC;AAErE,0CAA0C;AAC1C,MAAM,aAAa,GAAG;IACpB,sCAAsC;IACtC,kCAAkC;IAClC,iCAAiC;IACjC,mCAAmC;IACnC,iDAAiD,EAAE,gBAAgB;CACpE,CAAC;AAEF,gEAAgE;AAChE,MAAM,uBAAuB,GAC3B,oEAAoE,CAAC;AAEvE;;;;;;GAMG;AACH,SAAS,iBAAiB,CACxB,IAA2B,EAC3B,OAAe,EACf,aAAsB;IAEtB,oCAAoC;IACpC,IAAI,OAAO,CAAC,QAAQ,CAAC,4BAA4B,CAAC,EAAE,CAAC;QACnD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,uCAAuC;IACvC,IAAI,IAAI,KAAK,SAAS,IAAI,aAAa,IAAI,aAAa,IAAI,EAAE,EAAE,CAAC;QAC/D,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,yCAAyC;IACzC,IAAI,OAAO,CAAC,QAAQ,CAAC,4BAA4B,CAAC,EAAE,CAAC;QACnD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,sCAAsC;IACtC,IAAI,IAAI,KAAK,SAAS,IAAI,aAAa,IAAI,aAAa,IAAI,EAAE,EAAE,CAAC;QAC/D,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,oBAAoB;IACpB,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC1C,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,kBAAkB;IAClB,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QAC3C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,0CAA0C;IAC1C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAE/B,wDAAwD;IACxD,OAAO,CACL,qCAAqC,CAAC,IAAI,CAAC,UAAU,CAAC;QACtD,2CAA2C,CAAC,IAAI,CAAC,UAAU,CAAC;QAC5D,0CAA0C,CAAC,IAAI,CAAC,UAAU,CAAC;QAC3D,mCAAmC,CAAC,IAAI,CAAC,UAAU,CAAC,CACrD,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,eAAe,CAAC,GAAW,EAAE,UAAqB;IACzD,IAAI,CAAC,UAAU,EAAE,MAAM;QAAE,OAAO,KAAK,CAAC;IAEtC,mCAAmC;IACnC,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CACjC,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAClD,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAAC,CAAS;IACrC,OAAO,CACL,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,SAAS;QAC9B,qCAAqC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,YAAY;QAC7D,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,iBAAiB;QACzC,iEAAiE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,OAAO;QACpF,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,0BAA0B;QAC3D,iCAAiC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,eAAe;QAC5D,qFAAqF,CAAC,IAAI,CACxF,CAAC,CACF,IAAI,gBAAgB;QACrB,4DAA4D,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,gBAAgB;QACxF,+BAA+B,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,aAAa;QACxD,aAAa,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB;KAC3D,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,wBAAwB,CAAC,IAAY;IAC5C,2EAA2E;IAC3E,OAAO;IACL,2CAA2C;IAC3C,oCAAoC,CAAC,IAAI,CAAC,IAAI,CAAC;QAC/C,oCAAoC;QACpC,iCAAiC,CAAC,IAAI,CAAC,IAAI,CAAC;QAC5C,+BAA+B;QAC/B,2FAA2F,CAAC,IAAI,CAC9F,IAAI,CACL;QACD,6BAA6B;QAC7B,sCAAsC,CAAC,IAAI,CAAC,IAAI,CAAC,CAClD,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,CAAS;IACnC,OAAO,CACL,qDAAqD,CAAC,IAAI,CAAC,CAAC,CAAC;QAC7D,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,CAClC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,2BAA2B,CAAC,CAAS;IAC5C,+DAA+D;IAC/D,oCAAoC;IACpC,MAAM,qBAAqB,GAAG,CAAC,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;IAC5D,OAAO,eAAe,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;AACrD,CAAC;AAED,2FAA2F;AAC3F,MAAM,wBAAwB,GAAG,IAAa,CAAC;AAE/C;;;;GAIG;AACH,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,gFAAgF,CAAC,IAAI,CAC1F,IAAI,CACL,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CACnC,IAAY,EACZ,MAAc,EACd,IAAgC;IAEhC,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,wBAAwB,CAAC;IAE7E,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAEpC,IAAI,iBAAiB,GAAG,KAAK,CAAC;IAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,CAAC;QACrB,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE5B,IAAI,uDAAuD,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvE,iBAAiB,GAAG,IAAI,CAAC;YACzB,SAAS;QACX,CAAC;QAED,IAAI,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACrE,iBAAiB,GAAG,KAAK,CAAC;YAC1B,SAAS;QACX,CAAC;QAED,8BAA8B;QAC9B,IAAI,iBAAiB;YAAE,SAAS;QAEhC,gBAAgB;QAChB,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,SAAS;QAEpC,mCAAmC;QACnC,IAAI,gBAAgB,CAAC,IAAI,CAAC;YAAE,SAAS;QAErC,uBAAuB;QACvB,aAAa,CAAC,SAAS,GAAG,CAAC,CAAC;QAC5B,IAAI,UAAkC,CAAC;QACvC,OAAO,CAAC,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAChC,IAAI,GAAG,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,IAAI,eAAe,CAAC,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC;oBAAE,SAAS;gBACrD,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;gBAE5D,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,GAAG,QAAQ,4DAA4D;oBAChF,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBAClC,QAAQ,EAAE,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK;iBACjD,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wCAAwC;QACxC,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kDAAkD;YAClD,IAAI,uBAAuB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEjD,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;YAC5C,IACE,CAAC;gBACD,CAAC,CAAC,CAAC,CAAC;gBACJ,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC3B,CAAC,wBAAwB,CAAC,IAAI,CAAC;gBAC/B,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE;gBACjB,CAAC,aAAa,CAAC,IAAI,CAAC;gBACpB,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAClC,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,uDAAuD;oBAChE,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBAClC,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,KAAK,MAAM,EAAE,IAAI,iBAAiB,EAAE,CAAC;YACnC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClB,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,oCAAoC;oBAC7C,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBAClC,QAAQ,EAAE,MAAM;iBACjB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gCAAgC;QAChC,YAAY,CAAC,SAAS,GAAG,CAAC,CAAC;QAC3B,IAAI,EAA0B,CAAC;QAC/B,OAAO,CAAC,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,oBAAoB,CAAC,OAAO,CAAC;gBAAE,SAAS;YAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE;gBAAE,SAAS;YAClC,MAAM,GAAG,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;YAC9C,IAAI,GAAG,IAAI,SAAS,EAAE,CAAC;gBACrB,MAAM,OAAO,GAAG,kCAAkC,OAAO,CAAC,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;gBACzF,QAAQ,CAAC,IAAI,CAAC;oBACZ,IAAI;oBACJ,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,SAAS;oBACf,OAAO;oBACP,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBAClC,QAAQ,EAAE,iBAAiB,CAAC,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC;iBAChE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CACpC,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CACd,GAAG;QACH,GAAG,CAAC,SAAS,CACX,CAAC,KAAK,EAAE,EAAE,CACR,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI;YACrB,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI;YACrB,KAAK,CAAC,OAAO,KAAK,CAAC,CAAC,OAAO,CAC9B,CACJ,CAAC;IAEF,OAAO,cAAc,CAAC;AACxB,CAAC"}

package/dist/src/core/scanFile.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scanFile.d.ts","sourceRoot":"","sources":["../../../src/core/scanFile.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAIhE;;;;;;GAMG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,WAAW,GAChB,QAAQ,EAAE,CAqDZ"}
+{"version":3,"file":"scanFile.d.ts","sourceRoot":"","sources":["../../../src/core/scanFile.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAIhE;;;;;;GAMG;AACH,wBAAgB,QAAQ,CACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,WAAW,GAChB,QAAQ,EAAE,CAoEZ"}

package/dist/src/core/scanFile.js

@@ -1,6 +1,6 @@
 import path from 'path';
 import { ENV_PATTERNS } from './patterns.js';
-import { hasIgnoreComment } from '../core/secretDetectors.js';
+import { hasIgnoreComment } from './security/secretDetectors.js';
 /**
  * Scans a file for environment variable usage.
  * @param filePath - The path to the file being scanned.
@@ -12,6 +12,15 @@ export function scanFile(filePath, content, opts) {
     const usages = [];
     const lines = content.split('\n');
     const relativePath = path.relative(opts.cwd, filePath);
+    // Collect all $env imports used in this file
+    const envImports = [];
+    const importRegex = /import\s+(?:\{[^}]*\}|\w+)\s+from\s+['"](\$env\/(?:static|dynamic)\/(?:private|public))['"]/g;
+    let importMatch;
+    while ((importMatch = importRegex.exec(content)) !== null) {
+        if (importMatch[1]) {
+            envImports.push(importMatch[1]);
+        }
+    }
     for (const pattern of ENV_PATTERNS) {
         let match;
         const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
@@ -43,6 +52,7 @@ export function scanFile(filePath, content, opts) {
                 line: lineNumber,
                 column,
                 pattern: pattern.name,
+                imports: envImports,
                 context: contextLine,
                 isLogged,
             });

package/dist/src/core/scanFile.js.map

@@ -1 +1 @@
-{"version":3,"file":"scanFile.js","sourceRoot":"","sources":["../../../src/core/scanFile.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAE9D;;;;;;GAMG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAgB,EAChB,OAAe,EACf,IAAiB;IAEjB,MAAM,MAAM,GAAe,EAAE,CAAC;IAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAEvD,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,IAAI,KAA6B,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEpE,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,IAAI,CAAC,QAAQ;gBAAE,SAAS;YACxB,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC;YAE/B,uBAAuB;YACvB,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;YACrD,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;YAClD,MAAM,gBAAgB,GAAG,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YACvD,MAAM,MAAM,GACV,gBAAgB,KAAK,CAAC,CAAC;gBACrB,CAAC,CAAC,UAAU,GAAG,CAAC;gBAChB,CAAC,CAAC,UAAU,GAAG,gBAAgB,CAAC;YAEpC,oCAAoC;YACpC,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAEhD,+CAA+C;YAC/C,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAE7C,MAAM,SAAS,GACb,gBAAgB,CAAC,WAAW,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAE9D,wCAAwC;YACxC,IAAI,SAAS;gBAAE,SAAS;YAExB,uBAAuB;YACvB,MAAM,QAAQ,GAAG,6CAA6C,CAAC,IAAI,CACjE,WAAW,CACZ,CAAC;YAEF,MAAM,CAAC,IAAI,CAAC;gBACV,QAAQ;gBACR,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,UAAU;gBAChB,MAAM;gBACN,OAAO,EAAE,OAAO,CAAC,IAAI;gBACrB,OAAO,EAAE,WAAW;gBACpB,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"scanFile.js","sourceRoot":"","sources":["../../../src/core/scanFile.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AAEjE;;;;;;GAMG;AACH,MAAM,UAAU,QAAQ,CACtB,QAAgB,EAChB,OAAe,EACf,IAAiB;IAEjB,MAAM,MAAM,GAAe,EAAE,CAAC;IAC9B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAEvD,6CAA6C;IAC7C,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,MAAM,WAAW,GACf,8FAA8F,CAAC;IAEjG,IAAI,WAAmC,CAAC;IAExC,OAAO,CAAC,WAAW,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1D,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,IAAI,KAA6B,CAAC;QAClC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAEpE,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC1B,IAAI,CAAC,QAAQ;gBAAE,SAAS;YACxB,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC;YAE/B,uBAAuB;YACvB,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;YACrD,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;YAClD,MAAM,gBAAgB,GAAG,WAAW,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YACvD,MAAM,MAAM,GACV,gBAAgB,KAAK,CAAC,CAAC;gBACrB,CAAC,CAAC,UAAU,GAAG,CAAC;gBAChB,CAAC,CAAC,UAAU,GAAG,gBAAgB,CAAC;YAEpC,oCAAoC;YACpC,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAEhD,+CAA+C;YAC/C,MAAM,QAAQ,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YAE7C,MAAM,SAAS,GACb,gBAAgB,CAAC,WAAW,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAE9D,wCAAwC;YACxC,IAAI,SAAS;gBAAE,SAAS;YAExB,uBAAuB;YACvB,MAAM,QAAQ,GAAG,6CAA6C,CAAC,IAAI,CACjE,WAAW,CACZ,CAAC;YAEF,MAAM,CAAC,IAAI,CAAC;gBACV,QAAQ;gBACR,IAAI,EAAE,YAAY;gBAClB,IAAI,EAAE,UAAU;gBAChB,MAAM;gBACN,OAAO,EAAE,OAAO,CAAC,IAAI;gBACrB,OAAO,EAAE,UAAU;gBACnB,OAAO,EAAE,WAAW;gBACpB,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/src/core/security/entropy.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Calculates the normalized Shannon entropy of a string.
+ * Shannon entropy is a measure of the unpredictability or randomness of a string.
+ * @param s - The input string.
+ * @returns The normalized Shannon entropy (between 0 and 1).
+ */
+export declare function shannonEntropyNormalized(s: string): number;
+//# sourceMappingURL=entropy.d.ts.map

package/dist/src/core/security/entropy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.d.ts","sourceRoot":"","sources":["../../../../src/core/security/entropy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAa1D"}

package/dist/src/core/security/entropy.js

@@ -0,0 +1,23 @@
+/**
+ * Calculates the normalized Shannon entropy of a string.
+ * Shannon entropy is a measure of the unpredictability or randomness of a string.
+ * @param s - The input string.
+ * @returns The normalized Shannon entropy (between 0 and 1).
+ */
+export function shannonEntropyNormalized(s) {
+    if (!s)
+        return 0;
+    const freq = new Map();
+    for (const ch of s)
+        freq.set(ch, (freq.get(ch) ?? 0) + 1);
+    const len = s.length;
+    let H = 0;
+    for (const [, c] of freq) {
+        const p = c / len;
+        H += -p * Math.log2(p);
+    }
+    // Normalize by the maximum possible entropy for the character set (assuming 72 possible characters)
+    const maxH = Math.log2(72);
+    return Math.min(1, H / maxH);
+}
+//# sourceMappingURL=entropy.js.map

package/dist/src/core/security/entropy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.js","sourceRoot":"","sources":["../../../../src/core/security/entropy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,wBAAwB,CAAC,CAAS;IAChD,IAAI,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC;IACjB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,CAAC;QAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1D,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IACrB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,KAAK,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QAClB,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzB,CAAC;IACD,oGAAoG;IACpG,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3B,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;AAC/B,CAAC"}

package/dist/src/core/security/exampleSecretDetector.d.ts

@@ -0,0 +1,13 @@
+export interface ExampleSecretWarning {
+    key: string;
+    value: string;
+    reason: string;
+    severity: 'high' | 'medium' | 'low';
+}
+/**
+ * Detects potential secrets in a .env.example file.
+ * @param env - An object representing the `.env.example` file (key-value pairs).
+ * @returns An array of warnings about potential secrets.
+ */
+export declare function detectSecretsInExample(env: Record<string, string>): ExampleSecretWarning[];
+//# sourceMappingURL=exampleSecretDetector.d.ts.map

package/dist/src/core/security/exampleSecretDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exampleSecretDetector.d.ts","sourceRoot":"","sources":["../../../../src/core/security/exampleSecretDetector.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,oBAAoB;IACnC,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACrC;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC1B,oBAAoB,EAAE,CA4DxB"}

package/dist/src/core/security/exampleSecretDetector.js

@@ -0,0 +1,61 @@
+import { PROVIDER_PATTERNS, SUSPICIOUS_KEYS } from './secretDetectors.js';
+import { shannonEntropyNormalized } from './entropy.js';
+/**
+ * Detects potential secrets in a .env.example file.
+ * @param env - An object representing the `.env.example` file (key-value pairs).
+ * @returns An array of warnings about potential secrets.
+ */
+export function detectSecretsInExample(env) {
+    const warnings = [];
+    for (const [key, rawValue] of Object.entries(env)) {
+        if (!rawValue)
+            continue;
+        const value = rawValue.trim();
+        // 1 — Skip placeholders
+        if (value === '' ||
+            value.toLowerCase() === 'example' ||
+            value.toLowerCase() === 'placeholder' ||
+            value.includes('your_') ||
+            value.includes('<') ||
+            value.includes('CHANGE_ME')) {
+            continue;
+        }
+        // 2 — Check provider patterns (AWS, Stripe, GitHub, JWT etc.)
+        for (const rx of PROVIDER_PATTERNS) {
+            if (rx.test(value)) {
+                warnings.push({
+                    key,
+                    value,
+                    reason: 'Value in .env.example matches a known provider key pattern',
+                    severity: 'high',
+                });
+                continue;
+            }
+        }
+        // 3 — Check suspicious keywords on values
+        if (SUSPICIOUS_KEYS.test(key)) {
+            if (value.length >= 12) {
+                warnings.push({
+                    key,
+                    value,
+                    reason: 'Suspicious key name combined with a non-placeholder value',
+                    severity: 'medium',
+                });
+            }
+        }
+        // 4 — Check entropy (high randomness → real secret)
+        if (value.length >= 24) {
+            const entropy = shannonEntropyNormalized(value);
+            if (entropy > 0.8) {
+                warnings.push({
+                    key,
+                    value,
+                    reason: `High entropy value in .env.example (≈${entropy.toFixed(2)})`,
+                    severity: entropy > 0.92 ? 'high' : 'medium',
+                });
+            }
+        }
+    }
+    return warnings;
+}
+//# sourceMappingURL=exampleSecretDetector.js.map

package/dist/src/core/security/exampleSecretDetector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exampleSecretDetector.js","sourceRoot":"","sources":["../../../../src/core/security/exampleSecretDetector.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,wBAAwB,EAAE,MAAM,cAAc,CAAC;AASxD;;;;GAIG;AACH,MAAM,UAAU,sBAAsB,CACpC,GAA2B;IAE3B,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAE5C,KAAK,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAClD,IAAI,CAAC,QAAQ;YAAE,SAAS;QAExB,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;QAE9B,wBAAwB;QACxB,IACE,KAAK,KAAK,EAAE;YACZ,KAAK,CAAC,WAAW,EAAE,KAAK,SAAS;YACjC,KAAK,CAAC,WAAW,EAAE,KAAK,aAAa;YACrC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC;YACvB,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;YACnB,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,EAC3B,CAAC;YACD,SAAS;QACX,CAAC;QAED,8DAA8D;QAC9D,KAAK,MAAM,EAAE,IAAI,iBAAiB,EAAE,CAAC;YACnC,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBACnB,QAAQ,CAAC,IAAI,CAAC;oBACZ,GAAG;oBACH,KAAK;oBACL,MAAM,EAAE,4DAA4D;oBACpE,QAAQ,EAAE,MAAM;iBACjB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,IAAI,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,GAAG;oBACH,KAAK;oBACL,MAAM,EAAE,2DAA2D;oBACnE,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;YAChD,IAAI,OAAO,GAAG,GAAG,EAAE,CAAC;gBAClB,QAAQ,CAAC,IAAI,CAAC;oBACZ,GAAG;oBACH,KAAK;oBACL,MAAM,EAAE,wCAAwC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG;oBACrE,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;iBAC7C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/src/core/security/secretDetectors.d.ts

@@ -0,0 +1,28 @@
+export type SecretSeverity = 'high' | 'medium' | 'low';
+export type SecretFinding = {
+    file: string;
+    line: number;
+    kind: 'pattern' | 'entropy';
+    message: string;
+    snippet: string;
+    severity: SecretSeverity;
+};
+export declare const SUSPICIOUS_KEYS: RegExp;
+export declare const PROVIDER_PATTERNS: RegExp[];
+/**
+ * Checks if a line has an ignore comment
+ * fx: // dotenv-diff-ignore or /* dotenv-diff-ignore *\/ or <!-- dotenv-diff-ignore -->
+ * @param line - The line to check
+ * @returns True if the line should be ignored
+ */
+export declare function hasIgnoreComment(line: string): boolean;
+/**
+ * Detects secrets in the source code of a file.
+ * @param file - The file path to check.
+ * @param source - The source code to scan for secrets.
+ * @returns An array of secret findings.
+ */
+export declare function detectSecretsInSource(file: string, source: string, opts?: {
+    ignoreUrls?: string[];
+}): SecretFinding[];
+//# sourceMappingURL=secretDetectors.d.ts.map

package/dist/src/core/security/secretDetectors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretDetectors.d.ts","sourceRoot":"","sources":["../../../../src/core/security/secretDetectors.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAGvD,MAAM,MAAM,aAAa,GAAG;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,SAAS,GAAG,SAAS,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,cAAc,CAAC;CAC1B,CAAC;AAGF,eAAO,MAAM,eAAe,QAC6E,CAAC;AAG1G,eAAO,MAAM,iBAAiB,EAAE,MAAM,EAYrC,CAAC;AAoFF;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAUtD;AAmGD;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,IAAI,CAAC,EAAE;IAAE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GAC/B,aAAa,EAAE,CAgIjB"}