keysentinel 0.1.0

package/lib/index.js

@@ -0,0 +1,140 @@
+"use strict";
+/**
+ * KeySentinel - GitHub Action for scanning PR diffs for secrets
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const core = __importStar(require("@actions/core"));
+const mask_1 = require("./mask");
+const config_1 = require("./config");
+const patterns_1 = require("./patterns");
+const github_1 = require("./github");
+const scanner_1 = require("./scanner");
+async function run() {
+    try {
+        core.info('KeySentinel starting...');
+        const config = (0, config_1.loadConfig)();
+        core.debug(`Config: failOn=${config.failOn}, maxFiles=${config.maxFiles}`);
+        const token = core.getInput('github_token', { required: true });
+        const octokit = (0, github_1.createOctokit)(token);
+        const prContext = (0, github_1.getPRContext)();
+        if (!prContext) {
+            core.warning('Not running in a pull request context. Skipping scan.');
+            return;
+        }
+        const { owner, repo, pullNumber } = prContext;
+        core.info(`Scanning PR #${pullNumber} in ${owner}/${repo}`);
+        const files = await (0, github_1.getPRFiles)(octokit, owner, repo, pullNumber, config.maxFiles);
+        core.info(`Found ${files.length} file(s) in PR`);
+        if (files.length === 0) {
+            core.info('No files to scan');
+            return;
+        }
+        const patterns = (0, patterns_1.getEnabledPatterns)(config.patterns);
+        const headSha = (0, github_1.getPRHeadSha)();
+        const allFindings = [];
+        let filesScanned = 0;
+        let filesSkipped = 0;
+        for (const file of files) {
+            if (file.status === 'removed') {
+                filesSkipped++;
+                continue;
+            }
+            if ((0, config_1.shouldIgnoreFile)(file.filename, config.ignore)) {
+                core.debug(`Ignoring file: ${file.filename}`);
+                filesSkipped++;
+                continue;
+            }
+            let addedLines = [];
+            if (file.patch) {
+                addedLines = (0, scanner_1.extractAddedLines)(file.patch);
+            }
+            else {
+                core.debug(`No patch for ${file.filename}, fetching content`);
+                const content = await (0, github_1.getFileContent)(octokit, owner, repo, file.filename, headSha);
+                if (content) {
+                    const lines = content.split('\n');
+                    addedLines = lines.map((line, i) => ({ line, lineNumber: i + 1 }));
+                }
+            }
+            if (addedLines.length === 0) {
+                filesSkipped++;
+                continue;
+            }
+            const fileFindings = (0, scanner_1.scanLines)(file.filename, addedLines, config, patterns);
+            allFindings.push(...fileFindings);
+            filesScanned++;
+        }
+        core.info(`Scanned ${filesScanned} file(s), skipped ${filesSkipped} file(s)`);
+        core.info(`Found ${allFindings.length} potential secret(s)`);
+        core.setOutput('secrets_found', allFindings.length.toString());
+        const safeFindings = allFindings.map(f => ({
+            file: f.file,
+            line: f.line,
+            type: f.type,
+            severity: f.severity,
+            confidence: f.confidence,
+            snippet: f.snippet,
+        }));
+        core.setOutput('findings', JSON.stringify(safeFindings));
+        if (allFindings.length > 0) {
+            const report = (0, scanner_1.generateReport)(allFindings, filesScanned);
+            await (0, github_1.upsertComment)(octokit, owner, repo, pullNumber, report);
+        }
+        else if (config.postNoFindings) {
+            const report = (0, scanner_1.generateReport)([], filesScanned);
+            await (0, github_1.upsertComment)(octokit, owner, repo, pullNumber, report);
+        }
+        else {
+            await (0, github_1.deleteExistingComment)(octokit, owner, repo, pullNumber);
+        }
+        if ((0, scanner_1.shouldFail)(allFindings, config.failOn)) {
+            for (const finding of allFindings) {
+                core.warning(`${finding.severity.toUpperCase()}: ${finding.type} in ${finding.file}:${finding.line ?? 'N/A'} - ${(0, mask_1.maskSecret)(finding.rawValue)}`);
+            }
+            core.setFailed(`KeySentinel found ${allFindings.length} potential secret(s) at or above "${config.failOn}" severity`);
+        }
+        core.info('KeySentinel completed');
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            core.setFailed(`KeySentinel failed: ${error.message}`);
+        }
+        else {
+            core.setFailed('KeySentinel failed with an unknown error');
+        }
+    }
+}
+run();

package/lib/mask.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Mask sensitive data for safe display
+ */
+/**
+ * Mask a secret value, showing only first 3 and last 3 characters
+ * @param value The secret value to mask
+ * @param showChars Number of characters to show at start and end (default 3)
+ */
+export declare function maskSecret(value: string, showChars?: number): string;
+/**
+ * Mask a line of text containing a secret
+ * Shows context around the secret while masking the sensitive part
+ */
+export declare function maskLine(line: string, secretValue: string, maxLineLength?: number): string;
+/**
+ * Mask multiple occurrences of secrets in a text
+ */
+export declare function maskMultiple(text: string, secrets: string[]): string;
+/**
+ * Redact a value for logging (complete masking)
+ */
+export declare function redact(value: string): string;

package/lib/mask.js

@@ -0,0 +1,79 @@
+"use strict";
+/**
+ * Mask sensitive data for safe display
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.maskSecret = maskSecret;
+exports.maskLine = maskLine;
+exports.maskMultiple = maskMultiple;
+exports.redact = redact;
+/**
+ * Mask a secret value, showing only first 3 and last 3 characters
+ * @param value The secret value to mask
+ * @param showChars Number of characters to show at start and end (default 3)
+ */
+function maskSecret(value, showChars = 3) {
+    if (!value)
+        return '***';
+    const len = value.length;
+    // If string is too short to meaningfully mask, mask entirely
+    if (len <= showChars * 2 + 3) {
+        return '*'.repeat(Math.min(len, 10));
+    }
+    const start = value.slice(0, showChars);
+    const end = value.slice(-showChars);
+    const maskedLen = Math.min(len - (showChars * 2), 20);
+    return `${start}${'*'.repeat(maskedLen)}${end}`;
+}
+/**
+ * Mask a line of text containing a secret
+ * Shows context around the secret while masking the sensitive part
+ */
+function maskLine(line, secretValue, maxLineLength = 100) {
+    if (!line || !secretValue)
+        return line;
+    const maskedSecret = maskSecret(secretValue);
+    let maskedLine = line.replace(secretValue, maskedSecret);
+    // Truncate if too long
+    if (maskedLine.length > maxLineLength) {
+        const secretPos = maskedLine.indexOf(maskedSecret);
+        if (secretPos === -1) {
+            // Secret not found (shouldn't happen), just truncate
+            return maskedLine.slice(0, maxLineLength - 3) + '...';
+        }
+        // Try to keep the masked secret visible
+        const contextBefore = 20;
+        const contextAfter = 20;
+        const start = Math.max(0, secretPos - contextBefore);
+        const end = Math.min(maskedLine.length, secretPos + maskedSecret.length + contextAfter);
+        let result = maskedLine.slice(start, end);
+        if (start > 0) {
+            result = '...' + result;
+        }
+        if (end < maskedLine.length) {
+            result = result + '...';
+        }
+        return result;
+    }
+    return maskedLine;
+}
+/**
+ * Mask multiple occurrences of secrets in a text
+ */
+function maskMultiple(text, secrets) {
+    let result = text;
+    for (const secret of secrets) {
+        if (secret && result.includes(secret)) {
+            result = result.split(secret).join(maskSecret(secret));
+        }
+    }
+    return result;
+}
+/**
+ * Redact a value for logging (complete masking)
+ */
+function redact(value) {
+    if (!value)
+        return '[REDACTED]';
+    return `[REDACTED:${value.length} chars]`;
+}

package/lib/patterns.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Secret detection patterns and entropy calculation
+ */
+export type Severity = 'high' | 'medium' | 'low';
+export interface SecretPattern {
+    name: string;
+    pattern: RegExp;
+    severity: Severity;
+    group: string;
+}
+export interface Finding {
+    file: string;
+    line: number | null;
+    type: string;
+    severity: Severity;
+    confidence: 'high' | 'medium' | 'low';
+    snippet: string;
+    rawValue: string;
+}
+export declare const SECRET_PATTERNS: SecretPattern[];
+/**
+ * Calculate Shannon entropy of a string
+ */
+export declare function calculateEntropy(str: string): number;
+/**
+ * Check if a string looks like base64
+ */
+export declare function isBase64Like(str: string): boolean;
+/**
+ * Check if string is a common non-secret pattern
+ */
+export declare function isLikelyNonSecret(str: string): boolean;
+export interface EntropyConfig {
+    enabled: boolean;
+    minLength: number;
+    threshold: number;
+    ignoreBase64Like: boolean;
+}
+/**
+ * Detect high-entropy strings that might be secrets
+ */
+export declare function detectHighEntropyStrings(text: string, config: EntropyConfig): {
+    value: string;
+    entropy: number;
+}[];
+/**
+ * Get patterns filtered by enabled groups
+ */
+export declare function getEnabledPatterns(enabledGroups?: Record<string, boolean>): SecretPattern[];

package/lib/patterns.js

@@ -0,0 +1,310 @@
+"use strict";
+/**
+ * Secret detection patterns and entropy calculation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SECRET_PATTERNS = void 0;
+exports.calculateEntropy = calculateEntropy;
+exports.isBase64Like = isBase64Like;
+exports.isLikelyNonSecret = isLikelyNonSecret;
+exports.detectHighEntropyStrings = detectHighEntropyStrings;
+exports.getEnabledPatterns = getEnabledPatterns;
+// Secret detection patterns organized by group
+exports.SECRET_PATTERNS = [
+    // AWS
+    {
+        name: 'AWS Access Key ID',
+        pattern: /\b(AKIA[0-9A-Z]{16})\b/g,
+        severity: 'high',
+        group: 'aws'
+    },
+    {
+        name: 'AWS Secret Access Key',
+        pattern: /\b([A-Za-z0-9/+=]{40})\b/g,
+        severity: 'high',
+        group: 'aws'
+    },
+    // GitHub
+    {
+        name: 'GitHub Personal Access Token',
+        pattern: /\b(ghp_[a-zA-Z0-9]{36})\b/g,
+        severity: 'high',
+        group: 'github'
+    },
+    {
+        name: 'GitHub OAuth Access Token',
+        pattern: /\b(gho_[a-zA-Z0-9]{36})\b/g,
+        severity: 'high',
+        group: 'github'
+    },
+    {
+        name: 'GitHub App Token',
+        pattern: /\b(ghu_[a-zA-Z0-9]{36})\b/g,
+        severity: 'high',
+        group: 'github'
+    },
+    {
+        name: 'GitHub Fine-Grained Token',
+        pattern: /\b(github_pat_[a-zA-Z0-9_]{22,82})\b/g,
+        severity: 'high',
+        group: 'github'
+    },
+    // Slack
+    {
+        name: 'Slack Bot Token',
+        pattern: /\b(xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24})\b/g,
+        severity: 'high',
+        group: 'slack'
+    },
+    {
+        name: 'Slack User Token',
+        pattern: /\b(xoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24})\b/g,
+        severity: 'high',
+        group: 'slack'
+    },
+    {
+        name: 'Slack Webhook URL',
+        pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]{8,}\/B[a-zA-Z0-9_]{8,}\/[a-zA-Z0-9_]{24}/g,
+        severity: 'high',
+        group: 'slack'
+    },
+    // Generic API Keys
+    {
+        name: 'Generic API Key',
+        pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{20,})['"]?/gi,
+        severity: 'medium',
+        group: 'generic'
+    },
+    {
+        name: 'Generic Secret',
+        pattern: /(?:secret|secret[_-]?key)\s*[:=]\s*['"]?([a-zA-Z0-9_\-]{16,})['"]?/gi,
+        severity: 'medium',
+        group: 'generic'
+    },
+    {
+        name: 'Generic Password',
+        pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"]?([^\s'"]{8,})['"]?/gi,
+        severity: 'medium',
+        group: 'generic'
+    },
+    {
+        name: 'Bearer Token',
+        pattern: /Bearer\s+([a-zA-Z0-9_\-.~+/]+=*)/gi,
+        severity: 'medium',
+        group: 'generic'
+    },
+    {
+        name: 'Basic Auth',
+        pattern: /Basic\s+([a-zA-Z0-9+/=]{20,})/gi,
+        severity: 'medium',
+        group: 'generic'
+    },
+    // Private Keys
+    {
+        name: 'RSA Private Key',
+        pattern: /-----BEGIN RSA PRIVATE KEY-----/g,
+        severity: 'high',
+        group: 'keys'
+    },
+    {
+        name: 'SSH Private Key',
+        pattern: /-----BEGIN OPENSSH PRIVATE KEY-----/g,
+        severity: 'high',
+        group: 'keys'
+    },
+    {
+        name: 'PGP Private Key',
+        pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/g,
+        severity: 'high',
+        group: 'keys'
+    },
+    {
+        name: 'EC Private Key',
+        pattern: /-----BEGIN EC PRIVATE KEY-----/g,
+        severity: 'high',
+        group: 'keys'
+    },
+    // Cloud Providers
+    {
+        name: 'Google API Key',
+        pattern: /\bAIza[0-9A-Za-z_-]{35}\b/g,
+        severity: 'high',
+        group: 'google'
+    },
+    {
+        name: 'Google OAuth Client Secret',
+        pattern: /\b([a-zA-Z0-9_-]{24}\.apps\.googleusercontent\.com)\b/g,
+        severity: 'medium',
+        group: 'google'
+    },
+    // Stripe
+    {
+        name: 'Stripe Live Key',
+        pattern: /\bsk_live_[0-9a-zA-Z]{24,}\b/g,
+        severity: 'high',
+        group: 'stripe'
+    },
+    {
+        name: 'Stripe Test Key',
+        pattern: /\bsk_test_[0-9a-zA-Z]{24,}\b/g,
+        severity: 'low',
+        group: 'stripe'
+    },
+    {
+        name: 'Stripe Restricted Key',
+        pattern: /\brk_live_[0-9a-zA-Z]{24,}\b/g,
+        severity: 'high',
+        group: 'stripe'
+    },
+    // Database Connection Strings
+    {
+        name: 'Database Connection String',
+        pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s'"]+:[^\s'"]+@[^\s'"]+/gi,
+        severity: 'high',
+        group: 'database'
+    },
+    // Twilio
+    {
+        name: 'Twilio API Key',
+        pattern: /\bSK[0-9a-fA-F]{32}\b/g,
+        severity: 'high',
+        group: 'twilio'
+    },
+    // SendGrid
+    {
+        name: 'SendGrid API Key',
+        pattern: /\bSG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}\b/g,
+        severity: 'high',
+        group: 'sendgrid'
+    },
+    // Mailchimp
+    {
+        name: 'Mailchimp API Key',
+        pattern: /\b[0-9a-f]{32}-us[0-9]{1,2}\b/g,
+        severity: 'medium',
+        group: 'mailchimp'
+    },
+    // NPM
+    {
+        name: 'NPM Token',
+        pattern: /\bnpm_[a-zA-Z0-9]{36}\b/g,
+        severity: 'high',
+        group: 'npm'
+    },
+    // Discord
+    {
+        name: 'Discord Bot Token',
+        pattern: /\b[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}\b/g,
+        severity: 'high',
+        group: 'discord'
+    },
+    {
+        name: 'Discord Webhook URL',
+        pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/g,
+        severity: 'medium',
+        group: 'discord'
+    },
+    // Heroku
+    {
+        name: 'Heroku API Key',
+        pattern: /\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b/g,
+        severity: 'medium',
+        group: 'heroku'
+    },
+    // JWT
+    {
+        name: 'JSON Web Token',
+        pattern: /\beyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+\b/g,
+        severity: 'medium',
+        group: 'jwt'
+    },
+];
+/**
+ * Calculate Shannon entropy of a string
+ */
+function calculateEntropy(str) {
+    if (!str || str.length === 0)
+        return 0;
+    const freq = {};
+    for (const char of str) {
+        freq[char] = (freq[char] || 0) + 1;
+    }
+    let entropy = 0;
+    const len = str.length;
+    for (const count of Object.values(freq)) {
+        const p = count / len;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+/**
+ * Check if a string looks like base64
+ */
+function isBase64Like(str) {
+    // Base64 typically has uniform character distribution from a limited alphabet
+    const base64Regex = /^[A-Za-z0-9+/]+=*$/;
+    return base64Regex.test(str) && str.length % 4 === 0;
+}
+/**
+ * Check if string is a common non-secret pattern
+ */
+function isLikelyNonSecret(str) {
+    // Common patterns that are not secrets
+    const nonSecretPatterns = [
+        /^[0-9]+$/, // Pure numbers
+        /^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i, // UUID (often non-secret)
+        /^(true|false|null|undefined|none)$/i, // Boolean/null literals
+        /^[a-z]+(_[a-z]+)*$/i, // snake_case identifiers
+        /^[a-z]+(-[a-z]+)*$/i, // kebab-case identifiers
+        /^v?\d+\.\d+\.\d+/, // Version strings
+        /^https?:\/\/[^\s@]+$/, // URLs without credentials
+        /^[\w.+-]+@[\w.-]+\.[a-z]{2,}$/i, // Email addresses (not secrets themselves)
+        /^sha[0-9]{3}:[a-f0-9]{64}$/i, // SHA hashes
+        /^[0-9a-f]{64}$/i, // Hex hashes (SHA256)
+        /^[0-9a-f]{40}$/i, // Git commit hashes
+    ];
+    return nonSecretPatterns.some(p => p.test(str));
+}
+/**
+ * Detect high-entropy strings that might be secrets
+ */
+function detectHighEntropyStrings(text, config) {
+    if (!config.enabled)
+        return [];
+    const results = [];
+    // Match potential tokens: alphanumeric strings with special chars
+    const tokenPattern = /\b[a-zA-Z0-9_\-+/]{20,}\b/g;
+    let match;
+    while ((match = tokenPattern.exec(text)) !== null) {
+        const candidate = match[0];
+        // Skip if too short
+        if (candidate.length < config.minLength)
+            continue;
+        // Skip known non-secrets
+        if (isLikelyNonSecret(candidate))
+            continue;
+        // Skip base64-like if configured
+        if (config.ignoreBase64Like && isBase64Like(candidate))
+            continue;
+        const entropy = calculateEntropy(candidate);
+        if (entropy >= config.threshold) {
+            results.push({ value: candidate, entropy });
+        }
+    }
+    return results;
+}
+/**
+ * Get patterns filtered by enabled groups
+ */
+function getEnabledPatterns(enabledGroups) {
+    if (!enabledGroups)
+        return exports.SECRET_PATTERNS;
+    return exports.SECRET_PATTERNS.filter(pattern => {
+        const groupSetting = enabledGroups[pattern.group];
+        // If group is explicitly disabled, filter out
+        if (groupSetting === false)
+            return false;
+        // Otherwise include
+        return true;
+    });
+}

package/lib/scanner.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Core scanning logic - pure functions for testability
+ */
+import { Finding, Severity, SecretPattern } from './patterns';
+import { Config } from './config';
+/**
+ * Extract added lines from a unified diff patch
+ * Returns array of { line: text, lineNumber: number }
+ */
+export declare function extractAddedLines(patch: string): {
+    line: string;
+    lineNumber: number;
+}[];
+/**
+ * Scan text for secrets using regex patterns
+ */
+export declare function scanWithPatterns(text: string, patterns: SecretPattern[], allowlist: RegExp[]): {
+    pattern: SecretPattern;
+    match: string;
+    index: number;
+}[];
+/**
+ * Scan a single file's added lines for secrets
+ */
+export declare function scanLines(filename: string, addedLines: {
+    line: string;
+    lineNumber: number;
+}[], config: Config, patterns: SecretPattern[]): Finding[];
+/**
+ * Generate markdown report from findings
+ */
+export declare function generateReport(findings: Finding[], filesScanned: number): string;
+/**
+ * Check if workflow should fail based on severity threshold
+ */
+export declare function shouldFail(findings: Finding[], failOn: Severity | 'off'): boolean;