fixyoursecret 0.3.1-developer-preview.1

package/CHANGELOG.md

@@ -0,0 +1,45 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.3.1-developer-preview.1] - 2026-03-26
+
+### Added
+- Expanded detector coverage:
+  - Twilio, SendGrid, Mailgun
+  - Anthropic, Cohere, Hugging Face
+  - GitLab, Telegram, npm token detectors
+- Detector registry and shared detector runner
+- Benchmark corpus (`fixtures/benchmark/*`) for positive and negative samples
+- Benchmark quality gate script (`scripts/benchmark.js`)
+- CI benchmark threshold enforcement (recall/precision gate)
+- Benchmark unit test
+- Multi-repo tuning harness (`scripts/multi-repo-tune.js`)
+- Weekly tuning GitHub workflow (`.github/workflows/weekly-tuning.yml`)
+- False-positive review artifact generation (`docs/tuning/false-positive-review.md`)
+
+### Improved
+- Stronger, measurable provider-detection quality process
+- Release quality now validated by tests + benchmark gate
+
+## [0.3.0-developer-preview.1] - 2026-03-26
+
+### Added
+- New detectors:
+  - AWS access key IDs
+  - Stripe secret keys
+  - Slack tokens
+  - GitHub tokens
+  - Private key block detection
+- Optional verification mode (`--verify safe`) with `--verify-strict`
+- First-class `history` command for commit-history scanning
+- Improved false-positive controls:
+  - default suppressions for test/fixture contexts
+  - value hint ignores (`example`, `dummy`, `fake`, etc.)
+
+### Changed
+- Rebranded CLI to `fixyoursecret` (kept `secretlint` alias for compatibility)
+- Default config/baseline filenames now:
+  - `.fixyoursecretrc.json`
+  - `.fixyoursecret-baseline.json`
+- CI workflow renamed and SARIF output changed to `fixyoursecret.sarif`

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Secretlint
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,223 @@
+<div align="center">
+
+# FixYourSecret
+
+**Developer Preview**
+
+An ESLint-style CLI that finds leaked credentials, flags frontend exposure, suggests fixes, and helps rotate keys safely.
+
+[![Node >= 20](https://img.shields.io/badge/node-%3E%3D20-2ea44f)](https://nodejs.org/)
+[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](./LICENSE)
+[![CI](https://img.shields.io/badge/ci-github%20actions-2088ff)](https://github.com/ssanidhya0407/fixyoursecret/actions)
+
+</div>
+
+---
+
+## What Problem This Solves
+Developers accidentally commit API keys, tokens, or private keys. That leads to abuse, unexpected costs, and incident response fire drills.
+
+FixYourSecret helps teams catch these mistakes early and fix them with clear next steps.
+
+---
+
+## Why This Is Stronger Now
+- Expanded provider detector coverage significantly.
+- Added benchmark-driven quality gates (`npm run benchmark`) so quality is measured every release.
+- Added CI threshold enforcement for recall/precision.
+- Added optional local verification mode for higher-confidence findings.
+
+---
+
+## Detector Coverage
+FixYourSecret currently includes detector coverage for:
+
+- OpenAI
+- Google
+- AWS Access Key IDs
+- Stripe Secret Keys
+- Slack Tokens
+- GitHub Tokens
+- GitLab Tokens
+- Twilio API Keys
+- SendGrid API Keys
+- Mailgun API Keys
+- Anthropic API Keys
+- Cohere API Keys
+- Hugging Face Tokens
+- Telegram Bot Tokens
+- npm Tokens
+- Private Key Blocks
+- Generic High-Entropy Tokens
+
+---
+
+## What You Get
+- Fast secret scanning with file/line/snippet output
+- Frontend exposure risk highlighting
+- Optional safe verification mode (`--verify safe`)
+- First-class history scanning (`history`)
+- Better false-positive controls (hints + suppressions + defaults)
+- Baseline support for gradual rollout
+- SARIF output for CI/security platforms
+- Template-based fix generation (`fix`)
+- Guided key rotation (`rotate`)
+
+---
+
+## Install
+```bash
+npm install
+npm test
+npm link
+```
+
+You can run either command name (compatibility included):
+
+```bash
+fixyoursecret --help
+secretlint --help
+```
+
+---
+
+## Quick Start
+```bash
+fixyoursecret init
+fixyoursecret scan --verify safe
+fixyoursecret history 30
+fixyoursecret fix
+fixyoursecret rotate openai --dry-run
+fixyoursecret hook install
+```
+
+---
+
+## Quality and Benchmarks
+Run quality checks locally:
+
+```bash
+npm run quality
+```
+
+Run benchmark only:
+
+```bash
+npm run benchmark
+```
+
+Run multi-repo tuning report:
+
+```bash
+npm run tune:multi
+```
+
+CI quality gate thresholds (defaults):
+- Recall >= 0.95
+- Precision >= 0.95
+
+These can be tuned via env vars:
+- `BENCH_MIN_RECALL`
+- `BENCH_MIN_PRECISION`
+
+Tuning workflow docs:
+- [./docs/tuning/process.md](./docs/tuning/process.md)
+
+---
+
+## Command Cheat Sheet
+| Command | Purpose | Example |
+|---|---|---|
+| `fixyoursecret init` | Create default config and baseline files | `fixyoursecret init --force` |
+| `fixyoursecret scan` | Scan current working tree | `fixyoursecret scan --verify safe` |
+| `fixyoursecret history <n>` | Scan files touched in last `n` commits | `fixyoursecret history 50 --verify safe` |
+| `fixyoursecret ci` | CI-focused SARIF scan | `fixyoursecret ci --output-file fixyoursecret.sarif` |
+| `fixyoursecret fix` | Generate backend proxy + frontend patch helper | `fixyoursecret fix --output fixyoursecret-output` |
+| `fixyoursecret rotate <provider>` | Rotate and update env safely | `fixyoursecret rotate openai --dry-run` |
+| `fixyoursecret hook install` | Install pre-commit secret scan hook | `fixyoursecret hook install` |
+
+---
+
+## Scan Options
+```bash
+fixyoursecret scan [options]
+```
+
+- `--format text|json|sarif`
+- `--output-file <path>`
+- `--fail-on low|medium|high`
+- `--config <path>`
+- `--verify none|safe`
+- `--verify-strict`
+- `--staged`
+- `--tracked`
+- `--history <n>`
+- `--baseline <path>`
+- `--update-baseline`
+- `--no-baseline`
+
+---
+
+## Verification Mode (Optional)
+`--verify safe` performs local structure checks for supported detectors (no external API calls).
+
+Use `--verify-strict` to drop findings that fail verification.
+
+---
+
+## Config (`.fixyoursecretrc.json`)
+```json
+{
+  "ignorePaths": ["node_modules/**", ".git/**", "dist/**", "build/**", ".next/**", "coverage/**"],
+  "allowedExtensions": [".js", ".ts", ".jsx", ".tsx", ".env", ".swift"],
+  "maxFileSizeKB": 256,
+  "entropyThreshold": 3.8,
+  "failOn": "high",
+  "verifyMode": "none",
+  "ignoreDetectors": [],
+  "ignoreValueHints": ["example", "dummy", "fake", "sample", "replace_in_runtime_only"],
+  "suppressions": [
+    { "path": "test/" },
+    { "path": "tests/" },
+    { "path": "__tests__/" },
+    { "path": "fixtures/" }
+  ]
+}
+```
+
+Inline suppression comments supported:
+
+```js
+// fixyoursecret-disable-next-line
+const token = "fake_token_for_docs_only";
+```
+
+---
+
+## CI Integration
+Workflow file included:
+
+- [./.github/workflows/fixyoursecret-ci.yml](./.github/workflows/fixyoursecret-ci.yml)
+
+It runs tests, benchmark gate, scan, and uploads SARIF.
+
+---
+
+## Publish
+```bash
+npm ci
+npm run quality
+npm pack --dry-run
+npm publish --access public
+```
+
+---
+
+## Notes
+- Existing users of `secretlint` command are still supported via alias.
+- Brand chosen to avoid naming collision with existing Secretlint ecosystem tooling.
+
+---
+
+## License
+MIT. See [LICENSE](./LICENSE).

package/bin/index.js

@@ -0,0 +1,116 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import { runScan } from "../commands/scan.js";
+import { runFix } from "../commands/fix.js";
+import { runRotate } from "../commands/rotate.js";
+import { runInit } from "../commands/init.js";
+import { runHookInstall } from "../commands/hook.js";
+
+const program = new Command();
+
+program
+  .name("fixyoursecret")
+  .description("Developer-first CLI for finding leaked secrets and safely fixing exposure")
+  .version("0.3.0-developer-preview.1");
+
+program
+  .command("init")
+  .description("Initialize .fixyoursecretrc.json and baseline file")
+  .option("-p, --path <path>", "project path", process.cwd())
+  .option("--force", "overwrite existing files", false)
+  .action(async (options) => {
+    process.exitCode = await runInit(options);
+  });
+
+program
+  .command("scan")
+  .description("Scan project files for leaked API keys and exposure risks")
+  .option("-p, --path <path>", "project path to scan", process.cwd())
+  .option("--json", "output findings as JSON", false)
+  .option("--format <format>", "output format: text|json|sarif", "text")
+  .option("--output-file <path>", "write JSON/SARIF output to file")
+  .option("--fail-on <severity>", "low|medium|high", "high")
+  .option("--config <path>", "custom config file path")
+  .option("--verify <mode>", "verification mode: none|safe", "none")
+  .option("--verify-strict", "drop findings that fail selected verification mode", false)
+  .option("--staged", "scan only staged git files", false)
+  .option("--tracked", "scan tracked git files", false)
+  .option("--history <n>", "scan files touched in last n commits")
+  .option("--baseline <path>", "baseline file path", ".fixyoursecret-baseline.json")
+  .option("--update-baseline", "replace baseline with current findings", false)
+  .option("--no-baseline", "ignore baseline filtering")
+  .action(async (options) => {
+    process.exitCode = await runScan(options);
+  });
+
+program
+  .command("history")
+  .description("First-class history scan (defaults to last 20 commits)")
+  .argument("[commits]", "number of commits to inspect", "20")
+  .option("-p, --path <path>", "project path to scan", process.cwd())
+  .option("--format <format>", "output format: text|json|sarif", "text")
+  .option("--output-file <path>", "write JSON/SARIF output to file")
+  .option("--fail-on <severity>", "low|medium|high", "high")
+  .option("--config <path>", "custom config file path")
+  .option("--verify <mode>", "verification mode: none|safe", "none")
+  .option("--verify-strict", "drop findings that fail selected verification mode", false)
+  .action(async (commits, options) => {
+    process.exitCode = await runScan({
+      ...options,
+      history: commits,
+    });
+  });
+
+program
+  .command("fix")
+  .description("Generate backend proxy + frontend patch template for exposed API calls")
+  .option("-p, --path <path>", "project path to inspect", process.cwd())
+  .option("-o, --output <path>", "output folder", "fixyoursecret-output")
+  .action(async (options) => {
+    process.exitCode = await runFix(options);
+  });
+
+program
+  .command("ci")
+  .description("CI-focused scan (SARIF output + fail on medium by default)")
+  .option("-p, --path <path>", "project path to scan", process.cwd())
+  .option("--output-file <path>", "sarif output path", "fixyoursecret.sarif")
+  .option("--fail-on <severity>", "low|medium|high", "medium")
+  .option("--config <path>", "custom config file path")
+  .option("--verify <mode>", "verification mode: none|safe", "safe")
+  .option("--verify-strict", "drop findings that fail selected verification mode", false)
+  .action(async (options) => {
+    process.exitCode = await runScan({
+      path: options.path,
+      format: "sarif",
+      outputFile: options.outputFile,
+      failOn: options.failOn,
+      config: options.config,
+      verify: options.verify,
+      verifyStrict: options.verifyStrict,
+      tracked: true,
+    });
+  });
+
+program
+  .command("rotate")
+  .description("Rotate API keys safely and update .env")
+  .argument("<provider>", "provider name e.g. openai")
+  .option("-p, --path <path>", "project path", process.cwd())
+  .option("--env-file <path>", "explicit .env file path")
+  .option("--dry-run", "validate and preview without writing files", false)
+  .option("--key <value>", "non-interactive key value (use with caution)")
+  .action(async (provider, options) => {
+    process.exitCode = await runRotate(provider, options);
+  });
+
+const hook = program.command("hook").description("Manage git hooks");
+hook
+  .command("install")
+  .description("Install a pre-commit hook to block high-risk secrets")
+  .option("-p, --path <path>", "project path", process.cwd())
+  .action(async (options) => {
+    process.exitCode = await runHookInstall(options);
+  });
+
+program.parseAsync(process.argv);

package/commands/fix.js

@@ -0,0 +1,88 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { collectProjectFiles } from "../utils/fileScanner.js";
+import { logger } from "../utils/logger.js";
+import { expressProxyTemplate } from "../templates/expressProxy.js";
+
+const EXPOSED_OPENAI_CALL_REGEX =
+  /fetch\s*\(\s*["'`]https:\/\/api\.openai\.com\/[\s\S]{0,500}?["'`]?Authorization["'`]?\s*:\s*["'`]Bearer\s+sk-[A-Za-z0-9_-]{20,}["'`]/;
+
+export async function runFix(options = {}) {
+  const projectPath = path.resolve(options.path || process.cwd());
+  const outputDir = path.resolve(options.output || "fixyoursecret-output");
+
+  const files = await collectProjectFiles(projectPath);
+  const riskyFiles = [];
+
+  for (const file of files) {
+    if (!/\.(js|jsx|ts|tsx)$/i.test(file.relativePath)) continue;
+    if (EXPOSED_OPENAI_CALL_REGEX.test(file.content)) {
+      riskyFiles.push(file.relativePath);
+    }
+  }
+
+  await fs.mkdir(outputDir, { recursive: true });
+
+  const backendPath = path.join(outputDir, "backend.js");
+  const patchPath = path.join(outputDir, "frontend.patch.js");
+
+  await fs.writeFile(backendPath, expressProxyTemplate(), "utf8");
+  await fs.writeFile(patchPath, buildFrontendPatch(riskyFiles), "utf8");
+
+  logger.safe(`Generated: ${backendPath}`);
+  logger.safe(`Generated: ${patchPath}`);
+
+  if (riskyFiles.length > 0) {
+    logger.warn("Detected exposed API call patterns in:");
+    for (const file of riskyFiles) {
+      logger.log(`  - ${file}`);
+    }
+  } else {
+    logger.warn("No explicit OpenAI fetch patterns found, templates generated as preventive defaults.");
+  }
+
+  logger.log("\nNext steps:");
+  logger.log("1. Run backend proxy server (backend.js)");
+  logger.log("2. Replace direct frontend provider calls with callAIProxy(...)");
+  logger.log("3. Move API key to OPENAI_API_KEY in backend environment");
+
+  return 0;
+}
+
+function buildFrontendPatch(riskyFiles) {
+  const fileList = riskyFiles.length > 0 ? riskyFiles.map((f) => `// - ${f}`).join("\n") : "// No risky files auto-detected";
+
+  return `/**
+ * fixyoursecret generated frontend patch helper.
+ * Replace direct provider calls with this internal API call.
+ *\n${fileList}
+ */
+
+export async function callAIProxy(messages) {
+  const response = await fetch("/api/ai", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ messages })
+  });
+
+  if (!response.ok) {
+    const err = await response.text();
+    throw new Error(
+      "Proxy request failed: " + err
+    );
+  }
+
+  return response.json();
+}
+
+/*
+Example replacement:
+
+Before:
+fetch("https://api.openai.com/v1/chat/completions", { ... Authorization: "Bearer sk-..." ... })
+
+After:
+const data = await callAIProxy(messages)
+*/
+`;
+}

package/commands/hook.js

@@ -0,0 +1,37 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { logger } from "../utils/logger.js";
+
+export async function runHookInstall(options = {}) {
+  const projectPath = path.resolve(options.path || process.cwd());
+  const hookPath = path.join(projectPath, ".git", "hooks", "pre-commit");
+
+  const script = `#!/usr/bin/env sh
+# fixyoursecret pre-commit hook
+if command -v fixyoursecret >/dev/null 2>&1; then
+  SCANNER=fixyoursecret
+elif command -v secretlint >/dev/null 2>&1; then
+  SCANNER=secretlint
+else
+  echo "[fixyoursecret] CLI not found in PATH"
+  exit 1
+fi
+
+$SCANNER scan --staged --fail-on high --verify safe
+status=$?
+if [ "$status" -ne 0 ]; then
+  echo "[fixyoursecret] commit blocked due to high-risk findings"
+  exit $status
+fi
+`;
+
+  try {
+    await fs.mkdir(path.dirname(hookPath), { recursive: true });
+    await fs.writeFile(hookPath, script, { encoding: "utf8", mode: 0o755 });
+    logger.safe(`Installed pre-commit hook at ${hookPath}`);
+    return 0;
+  } catch (error) {
+    logger.error(`Failed to install hook: ${error.message}`);
+    return 1;
+  }
+}

package/commands/init.js

@@ -0,0 +1,30 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { defaultConfigTemplate } from "../utils/config.js";
+import { logger } from "../utils/logger.js";
+
+export async function runInit(options = {}) {
+  const projectPath = path.resolve(options.path || process.cwd());
+  const configPath = path.join(projectPath, ".fixyoursecretrc.json");
+  const baselinePath = path.join(projectPath, ".fixyoursecret-baseline.json");
+
+  await writeIfMissing(configPath, defaultConfigTemplate(), Boolean(options.force));
+  await writeIfMissing(baselinePath, "[]\n", Boolean(options.force));
+
+  logger.safe(`Initialized ${configPath}`);
+  logger.safe(`Initialized ${baselinePath}`);
+  return 0;
+}
+
+async function writeIfMissing(filePath, content, force) {
+  if (force) {
+    await fs.writeFile(filePath, content, "utf8");
+    return;
+  }
+
+  try {
+    await fs.access(filePath);
+  } catch {
+    await fs.writeFile(filePath, content, "utf8");
+  }
+}