dotenv-exposure-check 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Renzo Madueno
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,101 @@
+# dotenv-exposure-check
+
+> Probe any **live URL** for the secret artifacts that get served by accident — `.env`, `.env.production`, the `.git/` directory, production source maps (`.js.map`), `.DS_Store`, and backup/database dumps — and **prove each hit by fetching the bytes** and showing the real credentials, remote URLs, and source paths inside. Other scanners read your repo; this checks what your *server* is actually handing to strangers.
+
+> ⚡ **Run it in one line, no install, no token:**
+> ```bash
+> npx dotenv-exposure-check --url https://your-app.example.com
+> ```
+
+> 🤝 **Want it done for you?** [Fixed-scope audit — $99 / 24h](https://buy.stripe.com/3cIeVdgikfj47yx9LkcAo0m): I verify each exposure live, help you rotate the leaked credentials, and send a written remediation report.
+
+[![npm](https://img.shields.io/npm/v/dotenv-exposure-check?color=red)](https://www.npmjs.com/package/dotenv-exposure-check) [![downloads](https://img.shields.io/npm/dw/dotenv-exposure-check)](https://www.npmjs.com/package/dotenv-exposure-check) ![license](https://img.shields.io/badge/license-MIT-green) ![node](https://img.shields.io/badge/node-%3E%3D18-blue) ![deps](https://img.shields.io/badge/dependencies-0-brightgreen)
+
+```
+$ npx dotenv-exposure-check --url https://app.example.com
+2 critical, 1 high, 1 medium — 4 CONFIRMED by fetching the bytes
+  CRITICAL  /.env            5 vars readable — secret keys: DATABASE_URL, STRIPE_SECRET_KEY, JWT_SECRET
+  CRITICAL  /.git/config     repo cloneable — remote https://<credentials-redacted>@github.com/acme/app.git
+  HIGH      /main.js.map     12 source files mapped (original source embedded)
+  MEDIUM    /.DS_Store       directory listing leaked
+```
+
+## Why this exists
+
+Serving a secret file is the single highest-yield mistake on the web, and it
+happens constantly: researchers catalogued **12M+ exposed `.env` files** in the
+wild, and Palo Alto Unit 42 documented an extortion campaign that **scanned 230M
+targets and harvested 90,000+ secret variables** from misconfigured `.env`
+endpoints. Source maps are just as bad — even Claude Code shipped a production
+`.js.map` leak in 2026 — and a web-readable `.git/` folder lets anyone clone your
+entire source, remote token included.
+
+The hard part is *confirmation*. Most single-page apps return `200 OK` with
+`index.html` for **every** path, so "got a 200 on `/.env`" means nothing.
+`dotenv-exposure-check` fetches each candidate and **inspects the actual bytes**:
+an `.env` hit must contain real `KEY=VALUE` assignments, a source map must be
+valid sourcemap JSON, a `.DS_Store` must carry the `Bud1` magic, a backup must
+have a real archive/dump signature. You triage facts, not 200s.
+
+## What it checks
+
+| Check | Severity | How it's confirmed |
+|---|---|---|
+| `.env` / `.env.production` / `.env.local` … served | critical | body parsed for `KEY=VALUE` lines; secret-looking keys (DB/API/JWT/Stripe/AWS) flagged |
+| Exposed `.git/` directory (repo cloneable) | critical | `/.git/config` + `/.git/HEAD` validated as git stanzas; embedded remote credentials detected and redacted |
+| Production source map (`.js.map`) exposed | high | parsed as sourcemap JSON (`version` + `mappings`); counts mapped sources, flags embedded original source |
+| Backup / database dump downloadable | high | archive (`zip`/`gzip`) or SQL-dump signature in the bytes |
+| `.DS_Store` directory listing | medium | `Bud1` binary magic at offset 4 |
+
+SPA catch-all (`200` + `index.html` for everything) is explicitly rejected, so
+the tool does not false-positive on modern frontends.
+
+## Usage
+
+```bash
+# Probe a live site (tries the common filenames for each artifact)
+npx dotenv-exposure-check --url https://app.example.com
+
+# Restrict to specific candidate paths
+npx dotenv-exposure-check --url https://app.example.com --paths .env,.env.production
+
+# Write a shareable HTML report
+npx dotenv-exposure-check --url https://app.example.com --html report.html
+
+# Dry run: list what would be checked, send no requests
+npx dotenv-exposure-check --url https://app.example.com --no-probe
+```
+
+Output is JSON on stdout (pipe it into CI) and a one-line summary on stderr.
+Exit is non-zero only on usage errors — gate your pipeline on the JSON `summary`.
+
+## Install (optional)
+
+```bash
+npm i -g dotenv-exposure-check
+dotenv-exposure-check --url https://app.example.com
+```
+
+Zero dependencies. Read-only and keyless — every request goes straight from the
+tool to the target you name; nothing is stored, modified, or sent anywhere else.
+**Only scan systems you own or are authorized to test.**
+
+## Sister tools
+
+Same active-probe philosophy across the stack, all MIT:
+
+[supabase-security](https://github.com/Perufitlife/supabase-security-skill) ·
+[pocketbase-security](https://github.com/Perufitlife/pocketbase-security-skill) ·
+[firebase-security](https://github.com/Perufitlife/firebase-security-skill) ·
+[appwrite-security](https://github.com/Perufitlife/appwrite-security-skill) ·
+[nhost-security](https://github.com/Perufitlife/nhost-security-skill) ·
+[strapi-security](https://github.com/Perufitlife/strapi-security) ·
+[directus-security](https://github.com/Perufitlife/directus-security) ·
+[aws-s3-security](https://github.com/Perufitlife/aws-s3-security) ·
+[stripe-webhook-security](https://github.com/Perufitlife/stripe-webhook-security) ·
+[github-actions-security](https://github.com/Perufitlife/github-actions-security) ·
+[web-exposure-mcp](https://github.com/Perufitlife/web-exposure-mcp)
+
+## License
+
+MIT © [Renzo Madueno](https://github.com/Perufitlife)

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "dotenv-exposure-check",
+  "version": "0.1.0",
+  "description": "Probe a live URL for accidentally-served secret artifacts — .env, .env.production, .git/config, source maps (.js.map), .DS_Store, backup files — and CONFIRM each hit by fetching the bytes and flagging the real credentials and endpoints found inside. Zero dependencies.",
+  "type": "module",
+  "bin": {
+    "dotenv-exposure-check": "./scripts/cli.js"
+  },
+  "scripts": {
+    "scan": "node scripts/scan.js",
+    "test": "node test/scan.test.js"
+  },
+  "keywords": [
+    "dotenv",
+    "env",
+    "security",
+    "security-audit",
+    "secret-scanning",
+    "secrets-detection",
+    "exposure",
+    "sourcemap",
+    "auditor",
+    "devsecops",
+    "git-config",
+    "ds-store"
+  ],
+  "author": "Renzo Madueno (@Perufitlife)",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Perufitlife/dotenv-exposure-check"
+  },
+  "homepage": "https://github.com/Perufitlife/dotenv-exposure-check",
+  "engines": {
+    "node": ">=18"
+  }
+}

package/scripts/cli.js

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+import { run } from "./scan.js";
+run().catch((e) => {
+  console.error(e.message);
+  process.exit(1);
+});

package/scripts/report.js

@@ -0,0 +1,77 @@
+// HTML report renderer for dotenv-exposure-check. Self-contained, no deps.
+const esc = (s) =>
+  String(s ?? "").replace(/[&<>"]/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;" }[c]));
+
+const SEV_COLOR = { critical: "#dc2626", high: "#f97316", medium: "#eab308", low: "#3b82f6", info: "#6b7280" };
+
+function evidenceLine(f) {
+  const e = f.evidence;
+  if (!e) return "";
+  if (f.check === "dotenv")
+    return `${e.var_count} variables readable${e.has_secrets ? ` — secret keys: ${esc((e.secret_keys || []).join(", "))}` : ""}`;
+  if (f.check === "git_config")
+    return e.kind === "config" ? `git config readable${e.remote_url ? ` — remote ${esc(e.remote_url)}` : ""}` : `git ${esc(e.kind)} readable`;
+  if (f.check === "sourcemap")
+    return `${e.source_files} source files mapped${e.embeds_source ? " (original source embedded)" : ""}`;
+  if (f.check === "ds_store") return `valid .DS_Store (${e.bytes} bytes) — directory listing leaked`;
+  if (f.check === "backup_dump") return `${esc(e.format)} artifact downloadable (${e.bytes} bytes)`;
+  return "";
+}
+
+export function renderHtml(result) {
+  const { target_url, summary, findings, active_probe } = result;
+  const total = findings.filter((f) => f.confirmed).length;
+  const score = Math.max(
+    0,
+    100 - (summary.critical * 25 + summary.high * 12 + summary.medium * 5 + summary.low * 1)
+  );
+
+  const rows = findings
+    .filter((f) => f.confirmed)
+    .map(
+      (f) => `
+    <div style="border-left:4px solid ${SEV_COLOR[f.severity]};background:#fff;padding:14px 18px;border-radius:6px;margin-bottom:12px;box-shadow:0 1px 2px rgba(0,0,0,.06)">
+      <div style="display:flex;justify-content:space-between;align-items:center">
+        <strong>${esc(f.title)}</strong>
+        <span style="background:${SEV_COLOR[f.severity]};color:#fff;font-size:11px;padding:2px 8px;border-radius:10px;text-transform:uppercase">${f.severity}</span>
+      </div>
+      <div style="color:#374151;font-size:14px;margin:6px 0">${esc(f.explain)}</div>
+      <div style="font-size:13px;color:#6b7280"><code>${esc(f.target)}</code></div>
+      <div style="font-size:12px;color:#b91c1c;margin-top:4px">✓ CONFIRMED by fetching the bytes — ${esc(evidenceLine(f))}</div>
+      <details style="margin-top:6px"><summary style="cursor:pointer;font-size:13px;font-weight:600;color:#047857">Fix</summary>
+        <div style="font-size:13px;background:#f0fdf4;padding:8px;border-radius:4px;margin-top:4px">${esc(f.fix || "")}</div></details>
+    </div>`
+    )
+    .join("");
+
+  return `<!doctype html><html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>dotenv-exposure-check report — ${esc(target_url)}</title>
+<style>body{font-family:system-ui,-apple-system,sans-serif;background:#f3f4f6;margin:0;color:#111827}
+.wrap{max-width:860px;margin:0 auto;padding:24px}.card{background:#fff;padding:18px;border-radius:8px;box-shadow:0 1px 2px rgba(0,0,0,.06);margin-bottom:18px}
+.stat{display:inline-block;text-align:center;margin-right:24px}.stat .n{font-size:30px;font-weight:700}.stat .l{font-size:12px;color:#6b7280}</style></head>
+<body><div class="wrap">
+  <h1 style="margin:8px 0">🔓 Secret Exposure Report</h1>
+  <div style="color:#6b7280;font-size:14px">${esc(target_url)} · scored ${score}/100 · ${active_probe.confirmed} artifact(s) confirmed live</div>
+  <div class="card" style="margin-top:14px">
+    <span class="stat"><div class="n" style="color:${SEV_COLOR.critical}">${summary.critical}</div><div class="l">CRITICAL</div></span>
+    <span class="stat"><div class="n" style="color:${SEV_COLOR.high}">${summary.high}</div><div class="l">HIGH</div></span>
+    <span class="stat"><div class="n" style="color:${SEV_COLOR.medium}">${summary.medium}</div><div class="l">MEDIUM</div></span>
+    <span class="stat"><div class="n">${active_probe.probed}</div><div class="l">PATHS PROBED</div></span>
+  </div>
+  ${total ? rows : `<div class="card">✅ No exposed secret artifacts confirmed in the paths probed. Re-run after each deploy.</div>`}
+  ${
+    summary.critical + summary.high > 0
+      ? `
+  <div class="card" style="background:#ecfdf5;border:1px solid #a7f3d0">
+    <h2 style="margin:0 0 6px">Want this fixed for you?</h2>
+    <p style="font-size:14px;color:#374151;margin:0 0 10px">You have <strong>${summary.critical} critical</strong> and <strong>${summary.high} high</strong> exposures. I verify each one live, help you rotate the leaked credentials, and send a written remediation report.</p>
+    <a href="https://buy.stripe.com/3cIeVdgikfj47yx9LkcAo0m" style="background:#047857;color:#fff;text-decoration:none;font-size:14px;padding:8px 14px;border-radius:6px">Fixed-scope audit — $99 / 24h</a>
+    <a href="https://github.com/Perufitlife/dotenv-exposure-check" style="color:#047857;font-size:14px;margin-left:10px">See the tool</a>
+  </div>`
+      : ""
+  }
+  <div style="text-align:center;font-size:12px;color:#9ca3af;padding:8px">
+    Generated by <a href="https://github.com/Perufitlife/dotenv-exposure-check" style="color:#047857">dotenv-exposure-check</a> · MIT · Runs locally, nothing leaves your machine.
+  </div>
+</div></body></html>`;
+}

package/scripts/scan.js

@@ -0,0 +1,398 @@
+#!/usr/bin/env node
+// dotenv-exposure-check — pure Node.js, no deps.
+//
+// Probes a live URL for the secret artifacts that get served by accident, then
+// CONFIRMS each hit by fetching the bytes and inspecting what's actually inside:
+//
+//   - .env / .env.production / .env.local / ...  → real KEY=VALUE secrets
+//   - .git/config + .git/HEAD                    → cloneable repo + remote URL
+//   - JavaScript source maps (.js.map)           → original source / paths leaked
+//   - .DS_Store                                  → directory listing leaked
+//   - backup & dump files (.bak, .sql, .zip ...) → server-side files downloadable
+//
+// A 200 alone is not enough — many SPAs return index.html for everything. So
+// every candidate is content-verified: a hit only counts when the body really
+// looks like the artifact (env assignments, git config stanza, sourcemap JSON,
+// DS_Store magic, archive/dump signatures).
+//
+// Usage:
+//   dotenv-exposure-check --url https://app.example.com
+//   dotenv-exposure-check --url https://app.example.com --paths .env,.env.prod
+//   dotenv-exposure-check --url https://app.example.com --html report.html
+//   dotenv-exposure-check --url https://app.example.com --no-probe
+//
+// Keyless and read-only. Every request goes straight from this process to the
+// target; nothing is stored, modified, or sent anywhere else.
+
+import { writeFileSync } from "node:fs";
+
+const VERSION = "0.1.0";
+const UA = `dotenv-exposure-check/${VERSION}`;
+const SEVERITY_ORDER = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+
+// Cap how many bytes we pull per candidate so a giant dump doesn't blow memory.
+const MAX_BYTES = 64 * 1024;
+
+// ---- the artifact catalog ---------------------------------------------------
+// Each artifact knows the paths to try, a severity, copy, a fix, and a
+// `confirm(text, ct)` that returns evidence ONLY when the body is the real
+// thing (so SPA catch-all index.html never produces a false positive).
+
+const ARTIFACTS = [
+  {
+    id: "dotenv",
+    severity: "critical",
+    title: "Environment file (.env) served over HTTP",
+    explain:
+      "An .env file with KEY=VALUE secrets is reachable anonymously. Attackers mass-scan for exactly this; a single hit can hand over database passwords, API keys, and signing secrets. 12M+ exposed .env files have been catalogued in the wild.",
+    fix: "Stop serving dotfiles: block `/\\.env` at the web server / CDN, move secrets to the platform's env-var store, and rotate every credential that was in the file.",
+    paths: [
+      ".env",
+      ".env.production",
+      ".env.prod",
+      ".env.local",
+      ".env.development",
+      ".env.dev",
+      ".env.staging",
+      ".env.backup",
+      ".env.bak",
+      ".env.save",
+      ".env.old",
+    ],
+    confirm: confirmDotenv,
+  },
+  {
+    id: "git_config",
+    severity: "critical",
+    title: "Exposed .git directory (repo is cloneable)",
+    explain:
+      "The .git directory is web-readable. With /.git/config and /.git/HEAD an attacker can reconstruct your entire source tree — and the config often embeds the remote URL with an embedded token.",
+    fix: "Deny access to `/\\.git` in the web server config (and confirm /.git/HEAD 404s). Never deploy the .git folder; build artifacts only.",
+    paths: [".git/config", ".git/HEAD"],
+    confirm: confirmGitConfig,
+  },
+  {
+    id: "sourcemap",
+    severity: "high",
+    title: "Production source map (.js.map) exposed",
+    explain:
+      "A JavaScript source map is downloadable, reverse-mapping minified code back to original source — internal file paths, comments, sometimes hard-coded endpoints and keys. (Claude Code itself shipped a sourcemap leak in 2026.)",
+    fix: "Disable source-map emission in production builds, or stop uploading *.js.map to the public origin. If maps are needed for error tracking, upload them privately to your monitoring vendor only.",
+    paths: [
+      "main.js.map",
+      "app.js.map",
+      "index.js.map",
+      "bundle.js.map",
+      "assets/index.js.map",
+      "static/js/main.js.map",
+      "_next/static/chunks/main.js.map",
+    ],
+    confirm: confirmSourceMap,
+  },
+  {
+    id: "ds_store",
+    severity: "medium",
+    title: ".DS_Store leaks the directory listing",
+    explain:
+      "A macOS .DS_Store file is served. It enumerates every filename in the directory it sits in, handing attackers a free map of hidden files and backups to probe next.",
+    fix: "Block `/\\.DS_Store`, delete it from the deploy, and add `.DS_Store` to .gitignore / your deploy ignore list.",
+    paths: [".DS_Store"],
+    confirm: confirmDsStore,
+  },
+  {
+    id: "backup_dump",
+    severity: "high",
+    title: "Backup / database dump downloadable",
+    explain:
+      "A backup or dump artifact is reachable anonymously. These often contain a full copy of the application or database, including credentials and customer data.",
+    fix: "Remove backups/dumps from the public web root and block the extensions (`\\.(sql|bak|zip|tar\\.gz|dump)$`) at the edge.",
+    paths: [
+      "backup.zip",
+      "backup.sql",
+      "backup.tar.gz",
+      "db.sql",
+      "dump.sql",
+      "database.sql",
+      "site.zip",
+      "www.zip",
+      "app.bak",
+      "index.php.bak",
+      "config.php.bak",
+    ],
+    confirm: confirmBackup,
+  },
+];
+
+// ---- content confirmers -----------------------------------------------------
+
+// Matches lines like  KEY=value  /  KEY="value"  /  export KEY=value
+const ENV_LINE = /^\s*(?:export\s+)?[A-Z][A-Z0-9_]{2,}\s*=\s*.+$/m;
+const SECRETY_KEY =
+  /(SECRET|PASSWORD|PASSWD|TOKEN|API_?KEY|ACCESS_?KEY|PRIVATE_?KEY|DATABASE_?URL|DB_PASS|AWS_|STRIPE_|JWT|SUPABASE|MONGODB_URI|REDIS_URL)/i;
+
+function looksLikeHtml(text, ct) {
+  if (ct && ct.includes("text/html")) return true;
+  const head = text.slice(0, 512).toLowerCase();
+  return head.includes("<!doctype html") || head.includes("<html");
+}
+
+function confirmDotenv(text, ct) {
+  if (looksLikeHtml(text, ct)) return null;
+  const lines = text.split(/\r?\n/);
+  const assignments = lines.filter((l) => ENV_LINE.test(l));
+  if (assignments.length === 0) return null;
+  const keys = assignments
+    .map((l) => l.replace(/^\s*export\s+/, "").split("=")[0].trim())
+    .filter(Boolean);
+  const secretKeys = keys.filter((k) => SECRETY_KEY.test(k));
+  return {
+    var_count: keys.length,
+    sample_keys: keys.slice(0, 8),
+    secret_keys: [...new Set(secretKeys)].slice(0, 8),
+    has_secrets: secretKeys.length > 0,
+  };
+}
+
+function confirmGitConfig(text, ct) {
+  if (looksLikeHtml(text, ct)) return null;
+  if (/^ref:\s+refs\//m.test(text)) return { kind: "HEAD", ref: text.trim().slice(0, 80) };
+  if (/\[core\]/.test(text) || /\[remote /.test(text)) {
+    const remote = (text.match(/url\s*=\s*(\S+)/) || [])[1] || null;
+    return { kind: "config", remote_url: remote ? redactUrl(remote) : null };
+  }
+  return null;
+}
+
+function confirmSourceMap(text, ct) {
+  if (looksLikeHtml(text, ct)) return null;
+  let j;
+  try {
+    j = JSON.parse(text);
+  } catch {
+    return null;
+  }
+  if (typeof j !== "object" || j === null) return null;
+  if (!("version" in j) || !("mappings" in j)) return null;
+  const sources = Array.isArray(j.sources) ? j.sources : [];
+  return {
+    sourcemap_version: j.version,
+    source_files: sources.length,
+    sample_sources: sources.slice(0, 5),
+    embeds_source: Array.isArray(j.sourcesContent) && j.sourcesContent.length > 0,
+  };
+}
+
+function confirmDsStore(text, ct, rawBytes) {
+  // .DS_Store starts with magic bytes 00 00 00 01 42 75 64 31 ("Bud1").
+  const bytes = rawBytes || Buffer.from(text, "binary");
+  if (bytes.length < 8) return null;
+  const magic = bytes.subarray(0, 8);
+  if (magic[4] === 0x42 && magic[5] === 0x75 && magic[6] === 0x64 && magic[7] === 0x31) {
+    return { magic: "Bud1", bytes: bytes.length };
+  }
+  return null;
+}
+
+function confirmBackup(text, ct, rawBytes, url) {
+  if (looksLikeHtml(text, ct)) return null;
+  const bytes = rawBytes || Buffer.from(text, "binary");
+  if (bytes.length < 4) return null;
+  // Archive / dump signatures.
+  const b = bytes;
+  const sig = (...xs) => xs.every((v, i) => b[i] === v);
+  if (sig(0x50, 0x4b, 0x03, 0x04)) return { format: "zip", bytes: b.length };
+  if (sig(0x1f, 0x8b)) return { format: "gzip", bytes: b.length };
+  // SQL dumps are text — look for telltale statements.
+  const head = text.slice(0, 4096);
+  if (/(CREATE TABLE|INSERT INTO|DROP TABLE|-- MySQL dump|PostgreSQL database dump)/i.test(head)) {
+    return { format: "sql", bytes: b.length };
+  }
+  // PHP backups.
+  if (url && /\.php\.bak$/i.test(url) && /<\?php/.test(head)) {
+    return { format: "php-source", bytes: b.length };
+  }
+  return null;
+}
+
+// ---- helpers ----------------------------------------------------------------
+
+function redactUrl(u) {
+  // Strip embedded credentials but flag that they were present.
+  try {
+    const m = u.match(/^([a-z]+:\/\/)([^@/]+)@(.*)$/i);
+    if (m) return `${m[1]}<credentials-redacted>@${m[3]}`;
+  } catch {
+    /* ignore */
+  }
+  return u;
+}
+
+async function fetchArtifact(url) {
+  try {
+    const r = await fetch(url, {
+      headers: { "User-Agent": UA, Accept: "*/*" },
+      redirect: "manual",
+    });
+    // A redirect to a login/home page is not an exposed file.
+    if (r.status >= 300 && r.status < 400) {
+      return { ok: false, status: r.status, redirected: true };
+    }
+    const ct = r.headers.get("content-type") || "";
+    const buf = Buffer.from(await r.arrayBuffer());
+    const bytes = buf.subarray(0, MAX_BYTES);
+    return {
+      ok: r.ok,
+      status: r.status,
+      contentType: ct,
+      bytes,
+      text: bytes.toString("utf8"),
+    };
+  } catch (e) {
+    return { ok: false, status: 0, error: e.message };
+  }
+}
+
+// ---- main scan --------------------------------------------------------------
+
+export async function scan({ url, paths = null, activeProbe = true } = {}) {
+  if (!url) throw new Error("scan() requires { url }");
+  const base = url.replace(/\/+$/, "");
+  const findings = [];
+  let probed = 0;
+  let confirmed = 0;
+
+  for (const art of ARTIFACTS) {
+    // Allow restricting which paths to try (per-artifact still confirmed).
+    const tryPaths = paths
+      ? art.paths.filter((p) => paths.includes(p))
+      : art.paths;
+    if (tryPaths.length === 0) continue;
+
+    let hit = null;
+    for (const p of tryPaths) {
+      if (!activeProbe) break;
+      const full = `${base}/${p}`;
+      const res = await fetchArtifact(full);
+      probed++;
+      if (res.status !== 200 || !res.bytes) continue;
+      const evidence = art.confirm(res.text, res.contentType, res.bytes, full);
+      if (evidence) {
+        hit = { path: p, url: full, status: res.status, contentType: res.contentType, evidence };
+        break; // one confirmed artifact of this class is enough
+      }
+    }
+
+    if (hit) {
+      confirmed++;
+      findings.push({
+        check: art.id,
+        severity: art.severity,
+        title: art.title,
+        explain: art.explain,
+        target: hit.url,
+        confirmed: true,
+        evidence: hit.evidence,
+        fix: art.fix,
+      });
+    } else if (!activeProbe) {
+      // In static mode, list what WOULD be checked.
+      findings.push({
+        check: art.id,
+        severity: "info",
+        title: `Would probe: ${art.title}`,
+        explain: art.explain,
+        target: `${base}/{${art.paths.join(",")}}`,
+        confirmed: false,
+        fix: art.fix,
+      });
+    }
+  }
+
+  findings.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+  const summary = findings.reduce(
+    (acc, f) => ({ ...acc, [f.severity]: (acc[f.severity] || 0) + 1 }),
+    { critical: 0, high: 0, medium: 0, low: 0, info: 0 }
+  );
+
+  return {
+    target_url: base,
+    scanned_by: `dotenv-exposure-check v${VERSION}`,
+    active_probe: { enabled: activeProbe, probed, confirmed },
+    summary,
+    findings,
+  };
+}
+
+// ---- CLI --------------------------------------------------------------------
+
+function parseArgs(argv) {
+  const a = argv.slice(2);
+  const flag = (k) => {
+    const i = a.indexOf(k);
+    return i !== -1 ? a[i + 1] : null;
+  };
+  return {
+    help: a.includes("--help") || a.includes("-h"),
+    url: flag("--url") || process.env.TARGET_URL,
+    paths: (flag("--paths") || "")
+      .split(",")
+      .map((s) => s.trim())
+      .filter(Boolean),
+    activeProbe: !a.includes("--no-probe"),
+    html: a.includes("--html") ? flag("--html") || "dotenv-exposure-report.html" : null,
+  };
+}
+
+export async function run() {
+  const opts = parseArgs(process.argv);
+  if (opts.help || !opts.url) {
+    console.error(`dotenv-exposure-check — probe a URL for served secret artifacts and confirm each hit.
+
+Usage:
+  dotenv-exposure-check --url https://app.example.com
+  dotenv-exposure-check --url https://app.example.com --paths .env,.env.production
+  dotenv-exposure-check --url https://app.example.com --html report.html
+  dotenv-exposure-check --url https://app.example.com --no-probe
+
+Flags:
+  --url <url>       Target base URL (or TARGET_URL env)
+  --paths a,b,c     Restrict to specific candidate paths
+  --no-probe        List what would be checked without sending any request
+  --html <file>     Write a shareable HTML report
+
+Detects (and content-confirms): .env files, exposed .git directory,
+production source maps (.js.map), .DS_Store directory listing,
+backup / database dumps. Keyless and read-only.`);
+    process.exit(opts.url ? 0 : 1);
+  }
+
+  const result = await scan({
+    url: opts.url,
+    paths: opts.paths.length ? opts.paths : null,
+    activeProbe: opts.activeProbe,
+  });
+
+  if (opts.html) {
+    const { renderHtml } = await import("./report.js");
+    writeFileSync(opts.html, renderHtml(result));
+    console.error(`HTML report written to ${opts.html}`);
+  }
+
+  console.log(JSON.stringify(result, null, 2));
+  const s = result.summary;
+  console.error(
+    `\n${s.critical} critical, ${s.high} high, ${s.medium} medium` +
+      (result.active_probe.enabled
+        ? ` — ${result.active_probe.confirmed} CONFIRMED by fetching the bytes`
+        : "")
+  );
+}
+
+const isMain =
+  process.argv[1] &&
+  (import.meta.url === `file://${process.argv[1].replace(/\\/g, "/")}` ||
+    import.meta.url.endsWith(process.argv[1].replace(/\\/g, "/")));
+if (isMain) run().catch((e) => {
+  console.error(e.message);
+  process.exit(1);
+});

package/test/scan.test.js

@@ -0,0 +1,113 @@
+// Tests: drive scan() against a mocked fetch and assert that
+//  (1) a leaky site has each artifact CONFIRMED by its real bytes,
+//  (2) a clean / SPA-catch-all site produces zero false positives,
+//  (3) the .DS_Store binary magic and zip signature are matched correctly.
+import { scan } from "../scripts/scan.js";
+import assert from "node:assert";
+
+const SPA_HTML = "<!doctype html><html><head><title>App</title></head><body>spa</body></html>";
+
+const REAL_ENV = `# production
+NODE_ENV=production
+DATABASE_URL=postgres://user:s3cr3t@db.internal:5432/app
+STRIPE_SECRET_KEY=sk_live_51abcDEF
+JWT_SECRET=supersecretvalue
+PORT=3000
+`;
+
+const REAL_GIT_CONFIG = `[core]
+\trepositoryformatversion = 0
+[remote "origin"]
+\turl = https://x-token:ghp_abc123@github.com/acme/app.git
+`;
+
+const REAL_SOURCEMAP = JSON.stringify({
+  version: 3,
+  sources: ["webpack://app/src/index.js", "webpack://app/src/config.js"],
+  sourcesContent: ["const x=1", "export const API='https://api.acme.com'"],
+  mappings: "AAAA,SAASA",
+});
+
+// .DS_Store: 4 bytes + "Bud1" magic.
+const DS_STORE = Buffer.concat([Buffer.from([0, 0, 0, 1]), Buffer.from("Bud1"), Buffer.alloc(32)]);
+
+// zip backup: PK\x03\x04 signature.
+const ZIP_BACKUP = Buffer.concat([Buffer.from([0x50, 0x4b, 0x03, 0x04]), Buffer.alloc(64)]);
+
+function resp(status, body, ct) {
+  const buf = Buffer.isBuffer(body) ? body : Buffer.from(String(body), "utf8");
+  return {
+    ok: status >= 200 && status < 300,
+    status,
+    headers: { get: (k) => (k.toLowerCase() === "content-type" ? ct || "application/octet-stream" : null) },
+    arrayBuffer: async () => buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength),
+  };
+}
+
+function leakyFetch(url) {
+  const u = String(url);
+  if (u.endsWith("/.env")) return resp(200, REAL_ENV, "text/plain");
+  if (u.endsWith("/.git/config")) return resp(200, REAL_GIT_CONFIG, "text/plain");
+  if (u.endsWith("/main.js.map")) return resp(200, REAL_SOURCEMAP, "application/json");
+  if (u.endsWith("/.DS_Store")) return resp(200, DS_STORE, "application/octet-stream");
+  if (u.endsWith("/backup.zip")) return resp(200, ZIP_BACKUP, "application/zip");
+  // Everything else: SPA catch-all returns index.html with HTTP 200.
+  return resp(200, SPA_HTML, "text/html");
+}
+
+function cleanFetch() {
+  // Real 404s everywhere.
+  return resp(404, "Not Found", "text/plain");
+}
+
+function spaFetch() {
+  // The dangerous case: 200 + index.html for ALL paths. Must NOT false-positive.
+  return resp(200, SPA_HTML, "text/html");
+}
+
+let pass = 0;
+
+// 1) Leaky site — every artifact confirmed by its bytes.
+globalThis.fetch = async (url) => leakyFetch(url);
+let r = await scan({ url: "https://leaky.test" });
+const got = (id) => r.findings.find((f) => f.check === id && f.confirmed);
+
+assert.ok(got("dotenv"), "should confirm .env");
+assert.ok(got("dotenv").evidence.has_secrets, "should flag secret keys in .env");
+assert.ok(got("dotenv").evidence.secret_keys.includes("DATABASE_URL"), "DATABASE_URL is a secret key");
+assert.ok(got("git_config"), "should confirm .git/config");
+assert.ok(/credentials-redacted/.test(got("git_config").evidence.remote_url), "remote creds redacted");
+assert.ok(got("sourcemap"), "should confirm sourcemap");
+assert.strictEqual(got("sourcemap").evidence.source_files, 2, "two source files mapped");
+assert.ok(got("ds_store"), "should confirm .DS_Store via Bud1 magic");
+assert.ok(got("backup_dump"), "should confirm zip backup via PK signature");
+assert.strictEqual(got("backup_dump").evidence.format, "zip", "format is zip");
+assert.ok(r.active_probe.confirmed >= 5, "should confirm >=5 artifacts");
+assert.ok(r.summary.critical >= 2, "env + git are critical");
+console.log("PASS: leaky site — all 5 artifact classes confirmed by their real bytes");
+pass++;
+
+// 2) Clean site — nothing confirmed.
+globalThis.fetch = async () => cleanFetch();
+r = await scan({ url: "https://clean.test" });
+assert.strictEqual(r.findings.length, 0, "clean site has no findings");
+assert.strictEqual(r.active_probe.confirmed, 0, "clean site confirms nothing");
+console.log("PASS: clean site (all 404) — zero findings");
+pass++;
+
+// 3) SPA catch-all (200 + HTML for everything) — zero false positives.
+globalThis.fetch = async () => spaFetch();
+r = await scan({ url: "https://spa.test" });
+assert.strictEqual(r.active_probe.confirmed, 0, "SPA catch-all must not false-positive");
+assert.strictEqual(r.findings.length, 0, "SPA index.html for every path is not an exposure");
+console.log("PASS: SPA catch-all (200 index.html everywhere) — zero false positives");
+pass++;
+
+// 4) Static mode lists checks without probing.
+r = await scan({ url: "https://x.test", activeProbe: false });
+assert.strictEqual(r.active_probe.probed, 0, "no requests in --no-probe mode");
+assert.ok(r.findings.length >= 5, "static mode lists every artifact class");
+console.log("PASS: static mode (--no-probe) lists checks, sends no requests");
+pass++;
+
+console.log(`\n${pass}/4 tests passed`);