fixyoursecret 0.3.1-developer-preview.1

package/commands/rotate.js

@@ -0,0 +1,146 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { stdin as input, stdout as output } from "node:process";
+import { logger } from "../utils/logger.js";
+
+const providerConfig = {
+  openai: {
+    keyName: "OPENAI_API_KEY",
+    url: "https://platform.openai.com/api-keys",
+    validator: /^sk-(?:proj-)?[A-Za-z0-9_-]{20,}$/,
+  },
+  google: {
+    keyName: "GOOGLE_API_KEY",
+    url: "https://console.cloud.google.com/apis/credentials",
+    validator: /^AIza[A-Za-z0-9_-]{35}$/,
+  },
+};
+
+export async function runRotate(provider, options = {}) {
+  const normalized = String(provider || "").toLowerCase();
+  const cfg = providerConfig[normalized];
+
+  if (!cfg) {
+    logger.error(`Unsupported provider: ${provider}. Supported: ${Object.keys(providerConfig).join(", ")}`);
+    return 1;
+  }
+
+  logger.log(`[1] Open: ${cfg.url}`);
+  logger.log("[2] Create a new key with least privilege");
+  logger.log("[3] Rotate without committing plaintext keys\n");
+
+  const newKey = await resolveKeyInput(cfg.keyName, options);
+  if (!cfg.validator.test(newKey)) {
+    logger.error("Key format looks invalid. Aborting .env update.");
+    return 1;
+  }
+
+  const projectPath = path.resolve(options.path || process.cwd());
+  const envPath = options.envFile ? path.resolve(options.envFile) : path.join(projectPath, ".env");
+
+  let envContent = "";
+  try {
+    envContent = await fs.readFile(envPath, "utf8");
+  } catch {
+    envContent = "";
+  }
+
+  const updated = upsertEnv(envContent, cfg.keyName, newKey);
+
+  if (options.dryRun) {
+    logger.warn("Dry run enabled: no file was modified.");
+    logger.log(`Would update ${envPath} with ${cfg.keyName}`);
+    return 0;
+  }
+
+  const backupPath = `${envPath}.bak.${Date.now()}`;
+  try {
+    if (envContent) {
+      await fs.writeFile(backupPath, envContent, "utf8");
+      logger.log(`Backup created: ${backupPath}`);
+    }
+
+    await fs.writeFile(envPath, updated, "utf8");
+  } catch (error) {
+    if (envContent) {
+      try {
+        await fs.writeFile(envPath, envContent, "utf8");
+      } catch {
+        logger.error("Rollback failed. Please restore from backup manually.");
+      }
+    }
+    logger.error(`Failed to update env file: ${error.message}`);
+    return 1;
+  }
+
+  logger.safe(`Updated ${envPath} with ${cfg.keyName}`);
+  logger.warn("Restart backend workers and redeploy to activate the new key.");
+  logger.log("Run `fixyoursecret scan` (or `secretlint scan`) to verify no hardcoded keys remain.");
+  return 0;
+}
+
+async function resolveKeyInput(keyName, options) {
+  if (options.key) return String(options.key).trim();
+
+  if (!input.isTTY) {
+    const chunks = [];
+    for await (const chunk of input) chunks.push(chunk);
+    return Buffer.concat(chunks).toString("utf8").trim();
+  }
+
+  return readHiddenInput(`New ${keyName}: `);
+}
+
+async function readHiddenInput(promptText) {
+  output.write(promptText);
+
+  input.setRawMode(true);
+  input.resume();
+  input.setEncoding("utf8");
+
+  return await new Promise((resolve) => {
+    let value = "";
+
+    function onData(char) {
+      if (char === "\r" || char === "\n") {
+        output.write("\n");
+        cleanup();
+        resolve(value.trim());
+        return;
+      }
+      if (char === "\u0003") {
+        cleanup();
+        process.exit(130);
+      }
+      if (char === "\u007f") {
+        value = value.slice(0, -1);
+        return;
+      }
+      value += char;
+    }
+
+    function cleanup() {
+      input.off("data", onData);
+      input.setRawMode(false);
+      input.pause();
+    }
+
+    input.on("data", onData);
+  });
+}
+
+function upsertEnv(envContent, key, value) {
+  const lineRegex = new RegExp(`^${escapeRegExp(key)}=.*$`, "m");
+  const entry = `${key}=${value}`;
+
+  if (lineRegex.test(envContent)) {
+    return envContent.replace(lineRegex, entry);
+  }
+
+  if (envContent.length === 0) return `${entry}\n`;
+  return envContent.endsWith("\n") ? envContent + `${entry}\n` : `${envContent}\n${entry}\n`;
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

package/commands/scan.js

@@ -0,0 +1,184 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { collectProjectFiles, lineColFromIndex } from "../utils/fileScanner.js";
+import { analyzeRisk } from "../utils/riskAnalyzer.js";
+import { printFinding, printSummary, logger } from "../utils/logger.js";
+import { findingsToSarif } from "../utils/sarif.js";
+import { getRecentChangedFiles, getStagedFiles, getTrackedFiles } from "../utils/gitScanner.js";
+import { isSuppressed, loadConfig, resolveBaselinePath } from "../utils/config.js";
+import { normalizeVerifyMode, shouldSkipAsNonSecret, verifyFinding } from "../utils/verifier.js";
+import { runDetectors } from "../utils/detectorRunner.js";
+
+const SCORE = { LOW: 1, MEDIUM: 2, HIGH: 3 };
+
+export async function runScan(options = {}) {
+  const projectPath = path.resolve(options.path || process.cwd());
+  const cfgLoad = await loadConfig(projectPath, options.config);
+  const config = cfgLoad.config;
+
+  const verifyMode = normalizeVerifyMode(options.verify || config.verifyMode || "none");
+  const verifyStrict = Boolean(options.verifyStrict);
+
+  const includeOnly = await resolveScanScope(projectPath, options);
+
+  const files = await collectProjectFiles(projectPath, {
+    allowedExtensions: config.allowedExtensions,
+    ignorePaths: config.ignorePaths,
+    maxFileSizeKB: config.maxFileSizeKB,
+    includeOnly,
+  });
+
+  const findings = [];
+
+  for (const file of files) {
+    const matches = runDetectors(file.content, config);
+
+    for (const match of matches) {
+      const { line, column } = lineColFromIndex(file.content, match.index);
+      const snippet = file.lines[line - 1]?.trim() || "";
+
+      if (shouldSkipAsNonSecret(match, snippet, file.relativePath, config.ignoreValueHints)) continue;
+
+      const risk = analyzeRisk(file.relativePath, match, snippet);
+      const finding = {
+        file: file.relativePath,
+        line,
+        column,
+        issue: match.issue,
+        rule: match.rule,
+        severity: risk.severity,
+        reason: risk.reason,
+        snippet: snippet.slice(0, 180),
+        recommendation: risk.fix,
+      };
+
+      if (verifyMode !== "none") {
+        const verification = verifyFinding(match, file.content, snippet);
+        finding.verified = verification.verified;
+        finding.verificationMethod = verification.verificationMethod;
+        if (verifyStrict && !verification.verified) continue;
+      }
+
+      if (isSuppressed(finding, config.suppressions, file.lines)) continue;
+      findings.push(finding);
+    }
+  }
+
+  const deduped = dedupeFindings(findings);
+  const filtered = await applyBaselineFilter(projectPath, deduped, options);
+
+  await maybeUpdateBaseline(projectPath, deduped, options);
+
+  const format = normalizeFormat(options.format, options.json);
+  await emitOutput(filtered, format, options.outputFile);
+
+  if (format === "text") {
+    if (filtered.length === 0) {
+      logger.safe("No leaked secrets detected.");
+    } else {
+      for (const finding of filtered) printFinding(finding);
+      printSummary(filtered);
+    }
+    if (cfgLoad.loaded) logger.log(`Config: ${cfgLoad.path}`);
+    if (verifyMode !== "none") logger.log(`Verification mode: ${verifyMode}${verifyStrict ? " (strict)" : ""}`);
+  }
+
+  return shouldFail(filtered, options.failOn || config.failOn || "high") ? 1 : 0;
+}
+
+async function resolveScanScope(projectPath, options) {
+  if (options.staged) return getStagedFiles(projectPath);
+  if (options.tracked) return getTrackedFiles(projectPath);
+  if (options.history) return getRecentChangedFiles(projectPath, Number(options.history));
+  return null;
+}
+
+function dedupeFindings(findings) {
+  const seen = new Set();
+  const out = [];
+
+  for (const f of findings) {
+    const key = `${f.file}:${f.line}:${f.rule}:${f.snippet}`;
+    if (!seen.has(key)) {
+      seen.add(key);
+      out.push(f);
+    }
+  }
+
+  return out;
+}
+
+async function applyBaselineFilter(projectPath, findings, options) {
+  const candidates = [
+    resolveBaselinePath(projectPath, options.baseline),
+    path.resolve(projectPath, ".secretlint-baseline.json"),
+  ];
+  if (options.noBaseline) return findings;
+
+  let baselineSet = null;
+  for (const baselinePath of candidates) {
+    try {
+      const raw = await fs.readFile(baselinePath, "utf8");
+      const list = JSON.parse(raw);
+      if (Array.isArray(list)) {
+        baselineSet = new Set(list.filter((v) => typeof v === "string"));
+        break;
+      }
+    } catch {
+      // keep checking fallback baseline
+    }
+  }
+
+  if (!baselineSet) return findings;
+  return findings.filter((f) => !baselineSet.has(fingerprint(f)));
+}
+
+async function maybeUpdateBaseline(projectPath, findings, options) {
+  if (!options.updateBaseline) return;
+  const baselinePath = resolveBaselinePath(projectPath, options.baseline);
+  const entries = findings.map((f) => fingerprint(f)).sort();
+  await fs.writeFile(baselinePath, JSON.stringify(entries, null, 2) + "\n", "utf8");
+}
+
+async function emitOutput(findings, format, outputFile) {
+  if (format === "json") {
+    const payload = JSON.stringify(findings, null, 2);
+    return writeOrPrint(payload, outputFile);
+  }
+
+  if (format === "sarif") {
+    const payload = JSON.stringify(findingsToSarif(findings, "fixyoursecret"), null, 2);
+    return writeOrPrint(payload, outputFile);
+  }
+}
+
+async function writeOrPrint(payload, outputFile) {
+  if (outputFile) {
+    await fs.writeFile(path.resolve(outputFile), payload + "\n", "utf8");
+  } else {
+    logger.log(payload);
+  }
+}
+
+function normalizeFormat(format, jsonFlag) {
+  if (jsonFlag) return "json";
+  const safe = String(format || "text").toLowerCase();
+  return ["text", "json", "sarif"].includes(safe) ? safe : "text";
+}
+
+function shouldFail(findings, failOn) {
+  const threshold = toSeverityLabel(failOn);
+  const thresholdScore = SCORE[threshold];
+  return findings.some((f) => SCORE[f.severity] >= thresholdScore);
+}
+
+function toSeverityLabel(value) {
+  const safe = String(value || "high").toUpperCase();
+  if (safe === "LOW") return "LOW";
+  if (safe === "MEDIUM") return "MEDIUM";
+  return "HIGH";
+}
+
+function fingerprint(f) {
+  return `${f.file}:${f.line}:${f.rule}:${f.snippet}`;
+}

package/detectors/anthropic.js

@@ -0,0 +1,16 @@
+const ANTHROPIC_REGEX = /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g;
+
+export function detectAnthropic(content) {
+  const findings = [];
+  for (const match of content.matchAll(ANTHROPIC_REGEX)) {
+    findings.push({
+      rule: "anthropic-api-key",
+      issue: "Anthropic API key exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "anthropic",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/aws.js

@@ -0,0 +1,16 @@
+const AWS_ACCESS_KEY_ID_REGEX = /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/g;
+
+export function detectAWS(content) {
+  const findings = [];
+  for (const match of content.matchAll(AWS_ACCESS_KEY_ID_REGEX)) {
+    findings.push({
+      rule: "aws-access-key-id",
+      issue: "AWS access key ID exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "aws",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/cohere.js

@@ -0,0 +1,16 @@
+const COHERE_REGEX = /\bco_[A-Za-z0-9]{30,}\b/g;
+
+export function detectCohere(content) {
+  const findings = [];
+  for (const match of content.matchAll(COHERE_REGEX)) {
+    findings.push({
+      rule: "cohere-api-key",
+      issue: "Cohere API key exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "cohere",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/generic.js

@@ -0,0 +1,55 @@
+const TOKEN_REGEX = /[A-Za-z0-9_\-]{24,}/g;
+
+export function detectGenericSecrets(content, options = {}) {
+  const threshold = Number.isFinite(options.entropyThreshold) ? options.entropyThreshold : 3.8;
+  const findings = [];
+  for (const match of content.matchAll(TOKEN_REGEX)) {
+    const value = match[0];
+    if (!looksLikeHighEntropy(value, threshold)) continue;
+    if (looksSafeCommonWord(value)) continue;
+
+    findings.push({
+      rule: "generic-high-entropy",
+      issue: "Potential secret-like token detected",
+      index: match.index ?? 0,
+      value,
+      type: "generic",
+      confidence: "medium",
+    });
+  }
+  return findings;
+}
+
+function looksLikeHighEntropy(value, threshold) {
+  const entropy = shannonEntropy(value);
+  const hasLower = /[a-z]/.test(value);
+  const hasUpperOrSymbol = /[A-Z]/.test(value) || /[_-]/.test(value);
+  const hasDigit = /\d/.test(value);
+  return entropy >= threshold && hasLower && hasUpperOrSymbol && hasDigit;
+}
+
+function looksSafeCommonWord(value) {
+  return (
+    value.startsWith("sk-") ||
+    value.startsWith("AIza") ||
+    value.startsWith("pk_test_") ||
+    value.startsWith("pk_live_") ||
+    value.startsWith("http") ||
+    value.includes("localhost") ||
+    value.toLowerCase().includes("component") ||
+    value.toLowerCase().includes("configuration")
+  );
+}
+
+function shannonEntropy(value) {
+  const map = new Map();
+  for (const ch of value) {
+    map.set(ch, (map.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of map.values()) {
+    const p = count / value.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}

package/detectors/github.js

@@ -0,0 +1,16 @@
+const GITHUB_TOKEN_REGEX = /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{20,}\b|\bgithub_pat_[A-Za-z0-9_]{20,}\b/g;
+
+export function detectGitHub(content) {
+  const findings = [];
+  for (const match of content.matchAll(GITHUB_TOKEN_REGEX)) {
+    findings.push({
+      rule: "github-token",
+      issue: "GitHub token exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "github",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/gitlab.js

@@ -0,0 +1,16 @@
+const GITLAB_REGEX = /\bglpat-[A-Za-z0-9_-]{20,}\b/g;
+
+export function detectGitLab(content) {
+  const findings = [];
+  for (const match of content.matchAll(GITLAB_REGEX)) {
+    findings.push({
+      rule: "gitlab-token",
+      issue: "GitLab token exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "gitlab",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/google.js

@@ -0,0 +1,16 @@
+const GOOGLE_REGEX = /AIza[A-Za-z0-9_-]{35}/g;
+
+export function detectGoogle(content) {
+  const findings = [];
+  for (const match of content.matchAll(GOOGLE_REGEX)) {
+    findings.push({
+      rule: "google-key",
+      issue: "Google API key exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "google",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/huggingface.js

@@ -0,0 +1,16 @@
+const HF_REGEX = /\bhf_[A-Za-z0-9]{30,}\b/g;
+
+export function detectHuggingFace(content) {
+  const findings = [];
+  for (const match of content.matchAll(HF_REGEX)) {
+    findings.push({
+      rule: "huggingface-token",
+      issue: "Hugging Face token exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "huggingface",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/mailgun.js

@@ -0,0 +1,16 @@
+const MAILGUN_REGEX = /\bkey-[A-Za-z0-9]{32}\b/g;
+
+export function detectMailgun(content) {
+  const findings = [];
+  for (const match of content.matchAll(MAILGUN_REGEX)) {
+    findings.push({
+      rule: "mailgun-api-key",
+      issue: "Mailgun API key exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "mailgun",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/npmToken.js

@@ -0,0 +1,16 @@
+const NPM_REGEX = /\bnpm_[A-Za-z0-9]{36}\b/g;
+
+export function detectNpmToken(content) {
+  const findings = [];
+  for (const match of content.matchAll(NPM_REGEX)) {
+    findings.push({
+      rule: "npm-token",
+      issue: "npm token exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "npm",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/openai.js

@@ -0,0 +1,16 @@
+const OPENAI_REGEX = /sk-(?:proj-)?[A-Za-z0-9_-]{20,}/g;
+
+export function detectOpenAI(content) {
+  const findings = [];
+  for (const match of content.matchAll(OPENAI_REGEX)) {
+    findings.push({
+      rule: "openai-key",
+      issue: "OpenAI key exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "openai",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/privateKey.js

@@ -0,0 +1,16 @@
+const PRIVATE_KEY_REGEX = /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/g;
+
+export function detectPrivateKey(content) {
+  const findings = [];
+  for (const match of content.matchAll(PRIVATE_KEY_REGEX)) {
+    findings.push({
+      rule: "private-key-block",
+      issue: "Private key material exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "private-key",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/registry.js

@@ -0,0 +1,37 @@
+import { detectOpenAI } from "./openai.js";
+import { detectGoogle } from "./google.js";
+import { detectAWS } from "./aws.js";
+import { detectStripe } from "./stripe.js";
+import { detectSlack } from "./slack.js";
+import { detectGitHub } from "./github.js";
+import { detectPrivateKey } from "./privateKey.js";
+import { detectGenericSecrets } from "./generic.js";
+import { detectTwilio } from "./twilio.js";
+import { detectSendGrid } from "./sendgrid.js";
+import { detectMailgun } from "./mailgun.js";
+import { detectAnthropic } from "./anthropic.js";
+import { detectCohere } from "./cohere.js";
+import { detectHuggingFace } from "./huggingface.js";
+import { detectTelegram } from "./telegram.js";
+import { detectNpmToken } from "./npmToken.js";
+import { detectGitLab } from "./gitlab.js";
+
+export const DETECTOR_REGISTRY = [
+  { key: "openai", run: detectOpenAI },
+  { key: "google", run: detectGoogle },
+  { key: "aws", run: detectAWS },
+  { key: "stripe", run: detectStripe },
+  { key: "slack", run: detectSlack },
+  { key: "github", run: detectGitHub },
+  { key: "gitlab", run: detectGitLab },
+  { key: "twilio", run: detectTwilio },
+  { key: "sendgrid", run: detectSendGrid },
+  { key: "mailgun", run: detectMailgun },
+  { key: "anthropic", run: detectAnthropic },
+  { key: "cohere", run: detectCohere },
+  { key: "huggingface", run: detectHuggingFace },
+  { key: "telegram", run: detectTelegram },
+  { key: "npm", run: detectNpmToken },
+  { key: "private-key", run: detectPrivateKey },
+  { key: "generic", run: (content, options) => detectGenericSecrets(content, options) },
+];

package/detectors/sendgrid.js

@@ -0,0 +1,16 @@
+const SENDGRID_REGEX = /\bSG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}\b/g;
+
+export function detectSendGrid(content) {
+  const findings = [];
+  for (const match of content.matchAll(SENDGRID_REGEX)) {
+    findings.push({
+      rule: "sendgrid-api-key",
+      issue: "SendGrid API key exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "sendgrid",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/slack.js

@@ -0,0 +1,16 @@
+const SLACK_TOKEN_REGEX = /\bxox(?:b|p|a|r|s)-[0-9A-Za-z-]{10,}\b/g;
+
+export function detectSlack(content) {
+  const findings = [];
+  for (const match of content.matchAll(SLACK_TOKEN_REGEX)) {
+    findings.push({
+      rule: "slack-token",
+      issue: "Slack token exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "slack",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/stripe.js

@@ -0,0 +1,16 @@
+const STRIPE_SECRET_REGEX = /\bsk_live_[0-9A-Za-z]{16,}\b/g;
+
+export function detectStripe(content) {
+  const findings = [];
+  for (const match of content.matchAll(STRIPE_SECRET_REGEX)) {
+    findings.push({
+      rule: "stripe-secret-key",
+      issue: "Stripe secret key exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "stripe",
+      confidence: "high",
+    });
+  }
+  return findings;
+}

package/detectors/telegram.js

@@ -0,0 +1,16 @@
+const TELEGRAM_REGEX = /\b\d{8,10}:[A-Za-z0-9_-]{35}\b/g;
+
+export function detectTelegram(content) {
+  const findings = [];
+  for (const match of content.matchAll(TELEGRAM_REGEX)) {
+    findings.push({
+      rule: "telegram-bot-token",
+      issue: "Telegram bot token exposed",
+      index: match.index ?? 0,
+      value: match[0],
+      type: "telegram",
+      confidence: "high",
+    });
+  }
+  return findings;
+}