npm - git-ward - Versions diffs - 0.1.0 → 0.1.3 - Mend

git-ward 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/Cargo.toml CHANGED Viewed

@@ -1,6 +1,6 @@
 [package]
 name = "ward"
-version = "0.1.0"
+version = "0.1.3"
 edition = "2021"
 authors = ["awixor"]
 description = "Local-First Git Guard for preventing secret leaks"

package/LICENSE CHANGED Viewed

@@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2026 Elhoucine Aouassar
+Copyright (c) 2026 awixor
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md CHANGED Viewed

@@ -4,14 +4,15 @@
 ## 🚀 Features
-- **Zero Friction:** Scans staged files in < 50ms.
+- **Zero Friction:** Scans _staged_ files in < 50ms (ignoring working directory changes).
 - **Privacy First:** All scanning happens locally. No data leaves your machine.
 - **Smart Detection:**
   - **Ethereum Private Keys**
   - **BIP-39 Mnemonics**
   - **Generic API Keys**
+  - **.env Files** (Blocks `.env`, `.env.local`, etc. Allows `.example`/`.sample`)
   - **High Entropy Strings** (with false positive filtering)
-- **Configurable:** Ignore specific files or patterns via `ward.toml`.
+- **Configurable:** Ignore specific files via `.wardignore` or `ward.toml`.
 ## 📦 Installation
@@ -76,6 +77,16 @@ name = "My Custom Token"
 regex = "MYTOKEN-[0-9]{5}"
 ```
+### Using `.wardignore`
+You can also create a standard `.wardignore` file in your project root (works like `.gitignore`):
+```text
+secrets.txt
+generated/
+*.log
+```
 ## License
 MIT

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "git-ward",
-  "version": "0.1.0",
+  "version": "0.1.3",
   "description": "Local-First Git Guard for preventing secret leaks",
   "bin": {
     "ward": "./bin/ward.js"

package/src/config.rs CHANGED Viewed

@@ -37,12 +37,24 @@ impl Default for Config {
 }
 pub fn load_config() -> Result<Config> {
-    let config_path = Path::new("ward.toml");
-    if config_path.exists() {
-        let content = fs::read_to_string(config_path).context("Failed to read ward.toml")?;
-        let config: Config = toml::from_str(&content).context("Failed to parse ward.toml")?;
-        Ok(config)
+    let mut config = if Path::new("ward.toml").exists() {
+        let content = fs::read_to_string("ward.toml").context("Failed to read ward.toml")?;
+        toml::from_str(&content).context("Failed to parse ward.toml")?
     } else {
-        Ok(Config::default())
+        Config::default()
+    };
+    // Load .wardignore if exists
+    let ignore_path = Path::new(".wardignore");
+    if ignore_path.exists() {
+        let content = fs::read_to_string(ignore_path).context("Failed to read .wardignore")?;
+        for line in content.lines() {
+            let line = line.trim();
+            if !line.is_empty() && !line.starts_with('#') {
+                config.exclude.push(line.to_string());
+            }
+        }
     }
+    Ok(config)
 }

package/src/git.rs CHANGED Viewed

@@ -94,3 +94,26 @@ pub fn get_staged_files() -> Result<Vec<PathBuf>> {
     Ok(files)
 }
+pub fn get_staged_content(path: &Path) -> Result<String> {
+    // Use git show :path/to/file to get content from index
+    // Note: path must be relative to repo root, which get_staged_files returns
+    let path_str = path.to_str().context("Invalid path encoding")?;
+    let output = Command::new("git")
+        .args(&["show", &format!(":{}", path_str)])
+        .output()
+        .context(format!("Failed to read staged content for {}", path_str))?;
+    if !output.status.success() {
+        // If file is deleted in index or error, we might get here.
+        // For pre-commit diff-filter=ACM, it should exist.
+        // Fallback or error? Let's error for now to be safe.
+        return Err(anyhow::anyhow!("git show failed for {}", path_str));
+    }
+    let content = String::from_utf8(output.stdout)
+        .context("File content is not valid UTF-8 (binary?)")?;
+    Ok(content)
+}

package/src/main.rs CHANGED Viewed

@@ -51,9 +51,19 @@ fn main() -> Result<()> {
             let mut all_violations = vec![];
             for file in files {
-                match scanner.scan_file(&file) {
-                    Ok(mut v) => all_violations.append(&mut v),
-                    Err(e) => eprintln!("Error scanning {:?}: {}", file, e),
+                // Fetch content from git index (staged)
+                match git::get_staged_content(&file) {
+                    Ok(content) => {
+                         match scanner.scan_content(&file, &content) {
+                            Ok(mut v) => all_violations.append(&mut v),
+                            Err(e) => eprintln!("Error scanning {:?}: {}", file, e),
+                        }
+                    },
+                    Err(_) => {
+                        // Binary file or deleted? specific patterns might cause this.
+                        // For now we skip, mirroring "safe defaults"
+                        // In future: verbose log
+                    }
                 }
             }

package/src/scanner.rs CHANGED Viewed

@@ -1,7 +1,7 @@
 use crate::config::Config;
 use regex::Regex;
 use globset::{Glob, GlobSet, GlobSetBuilder};
-use std::fs;
+// use std::fs; // Removed unused import
 use std::path::{Path, PathBuf};
 use std::collections::HashMap;
 use anyhow::Result;
@@ -61,19 +61,31 @@ impl Scanner {
         Self { config, patterns, exclude_globnet }
     }
-    pub fn scan_file(&self, path: &Path) -> Result<Vec<Violation>> {
+    pub fn scan_content(&self, path: &Path, content: &str) -> Result<Vec<Violation>> {
         if self.exclude_globnet.is_match(path) {
             return Ok(vec![]);
         }
         let mut violations = vec![];
-        // Skip binary check (basic)
-        // In a real impl, we'd read first 1024 bytes to check for nulls
-        let content = match fs::read_to_string(path) {
-            Ok(c) => c,
-            Err(_) => return Ok(vec![]), // Skip binary or unreadable
-        };
+        // 0. File Name Check
+        if let Some(filename) = path.file_name().and_then(|s| s.to_str()) {
+            // Block .env and .env.* (e.g. .env.local, .env.production)
+            // But allow .env.example, .env.sample (common safe patterns)
+            if filename.starts_with(".env") {
+                let is_safe_example = filename.ends_with(".example") || filename.ends_with(".sample");
+                if !is_safe_example {
+                     violations.push(Violation {
+                        file: path.to_path_buf(),
+                        line: 1,
+                        rule: format!("Critical: {} detected", filename),
+                        snippet: "Do not commit .env files. Use .env.example instead.".to_string(),
+                    });
+                    return Ok(violations);
+                }
+            }
+        }
         for (i, line) in content.lines().enumerate() {
             let line_idx = i + 1;