git-ward 0.1.1 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/Cargo.toml +1 -1
- package/README.md +27 -0
- package/package.json +1 -1
- package/src/scanner.rs +19 -0
package/Cargo.toml
CHANGED
package/README.md
CHANGED
|
@@ -10,6 +10,7 @@
|
|
|
10
10
|
- **Ethereum Private Keys**
|
|
11
11
|
- **BIP-39 Mnemonics**
|
|
12
12
|
- **Generic API Keys**
|
|
13
|
+
- **.env Files** (Blocks `.env`, `.env.local`, etc. Allows `.example`/`.sample`)
|
|
13
14
|
- **High Entropy Strings** (with false positive filtering)
|
|
14
15
|
- **Configurable:** Ignore specific files via `.wardignore` or `ward.toml`.
|
|
15
16
|
|
|
@@ -61,6 +62,28 @@ You can also run a scan manually without committing:
|
|
|
61
62
|
ward scan
|
|
62
63
|
```
|
|
63
64
|
|
|
65
|
+
## 🗑 Uninstallation
|
|
66
|
+
|
|
67
|
+
To remove the Git hook:
|
|
68
|
+
|
|
69
|
+
```bash
|
|
70
|
+
# Run this in your repo root
|
|
71
|
+
rm .git/hooks/pre-commit
|
|
72
|
+
# Or if you have other hooks, edit .git/hooks/pre-commit and manually remove the ward lines
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
## 🤖 CI/CD Integration
|
|
76
|
+
|
|
77
|
+
You can run Ward in your CI pipeline to prevent secrets from being merged.
|
|
78
|
+
|
|
79
|
+
### GitHub Actions
|
|
80
|
+
|
|
81
|
+
```yaml
|
|
82
|
+
steps:
|
|
83
|
+
- uses: actions/checkout@v3
|
|
84
|
+
- run: npx git-ward scan
|
|
85
|
+
```
|
|
86
|
+
|
|
64
87
|
## ⚙️ Configuration (`ward.toml`)
|
|
65
88
|
|
|
66
89
|
Create a `ward.toml` in your project root to customize behavior:
|
|
@@ -86,6 +109,10 @@ generated/
|
|
|
86
109
|
*.log
|
|
87
110
|
```
|
|
88
111
|
|
|
112
|
+
## 🤝 Contributing
|
|
113
|
+
|
|
114
|
+
Contributions are welcome! Please open an issue or submit a PR on GitHub.
|
|
115
|
+
|
|
89
116
|
## License
|
|
90
117
|
|
|
91
118
|
MIT
|
package/package.json
CHANGED
package/src/scanner.rs
CHANGED
|
@@ -68,6 +68,25 @@ impl Scanner {
|
|
|
68
68
|
|
|
69
69
|
let mut violations = vec![];
|
|
70
70
|
|
|
71
|
+
// 0. File Name Check
|
|
72
|
+
if let Some(filename) = path.file_name().and_then(|s| s.to_str()) {
|
|
73
|
+
// Block .env and .env.* (e.g. .env.local, .env.production)
|
|
74
|
+
// But allow .env.example, .env.sample (common safe patterns)
|
|
75
|
+
if filename.starts_with(".env") {
|
|
76
|
+
let is_safe_example = filename.ends_with(".example") || filename.ends_with(".sample");
|
|
77
|
+
|
|
78
|
+
if !is_safe_example {
|
|
79
|
+
violations.push(Violation {
|
|
80
|
+
file: path.to_path_buf(),
|
|
81
|
+
line: 1,
|
|
82
|
+
rule: format!("Critical: {} detected", filename),
|
|
83
|
+
snippet: "Do not commit .env files. Use .env.example instead.".to_string(),
|
|
84
|
+
});
|
|
85
|
+
return Ok(violations);
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
|
|
71
90
|
for (i, line) in content.lines().enumerate() {
|
|
72
91
|
let line_idx = i + 1;
|
|
73
92
|
|