logshield-cli 0.4.0 → 0.4.1

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## v0.4.1
+
+### Fixed
+
+- Prevented secret leakage in `--json` output by removing raw match values from the public result shape
+- Forwarded `--dry-run` into the engine to ensure consistent, future-proof behavior
+
+### Improved
+
+- Expanded credential detection for common API key variants (`api_key`, `api-key`, `apikey`) and `Authorization: Bearer ...`
+- Hardened AWS secret key strict detection to reduce false positives while keeping strict mode safe
+
+### Notes
+
+- No breaking changes
+- No new features
+- Stability and safety hardening release
+
 ## v0.4.0
 
 ### Changed
@@ -21,8 +39,6 @@
 ### Improved
 
 - CLI documentation clarity
-- Blog and docs structure consistency
-- Shared `styles.css` and `main.js` across site pages
 
 ### Notes
 

package/dist/cli/index.cjs

@@ -126,8 +126,7 @@ function applyRules(input, rules, ctx, matches) {
       const replaced = rule.replace(match, ctx, groups);
       if (replaced !== match) {
         matches.push({
-          rule: rule.name,
-          value: match
+          rule: rule.name
         });
       }
       if (ctx.dryRun) {
@@ -197,9 +196,10 @@ var credentialRules;
 var init_credentials = __esm({
   "src/rules/credentials.ts"() {
     credentialRules = [
+      // password=... or password: ...
       {
         name: "PASSWORD",
-        pattern: /\bpassword=([^\s]+)/gi,
+        pattern: /\bpassword\s*[:=]\s*([^\s]+)/gi,
         replace: () => "password=<REDACTED_PASSWORD>"
       },
       // DB URL credential: postgres://user:pass@host
@@ -208,17 +208,30 @@ var init_credentials = __esm({
         pattern: /\b(postgres|mysql|mongodb):\/\/([^:\s]+):([^@\s]+)@/gi,
         replace: (_match, _ctx, groups) => `${groups[0]}://${groups[1]}:<REDACTED_PASSWORD>@`
       },
-      // apiKey=...
+      /**
+       * API key (common variants):
+       * - apiKey=...
+       * - api_key=...
+       * - api-key: ...
+       * - apikey=...
+       * Supports '=' or ':' and optional quotes/spaces.
+       */
       {
         name: "API_KEY",
-        pattern: /\bapiKey=([A-Za-z0-9_\-]{16,})\b/g,
+        pattern: /\bapi(?:[_-]?key)\s*[:=]\s*["']?([A-Za-z0-9_\-]{16,})["']?\b/gi,
         replace: () => "<REDACTED_API_KEY>"
       },
       // x-api-key: ....
       {
         name: "API_KEY_HEADER",
-        pattern: /\bx-api-key:\s*[A-Za-z0-9_\-]{16,}\b/gi,
+        pattern: /\bx-api-key\s*:\s*["']?[A-Za-z0-9_\-]{16,}["']?\b/gi,
         replace: () => "x-api-key: <REDACTED_API_KEY>"
+      },
+      // authorization: Bearer ...
+      {
+        name: "AUTHORIZATION_BEARER",
+        pattern: /\bauthorization\s*:\s*bearer\s+([A-Za-z0-9._\-]{16,})\b/gi,
+        replace: () => "authorization: Bearer <REDACTED_TOKEN>"
       }
     ];
   }
@@ -234,9 +247,24 @@ var init_cloud = __esm({
         pattern: /\bAKIA[0-9A-Z]{16,20}\b/g,
         replace: (match, { strict }) => strict ? "<REDACTED_AWS_KEY>" : match
       },
+      /**
+       * Prefer contextual AWS secret key detection first:
+       * - AWS_SECRET_ACCESS_KEY=...
+       * - aws_secret_access_key: ...
+       * - secretAccessKey=...
+       */
+      {
+        name: "AWS_SECRET_ACCESS_KEY",
+        pattern: /\b(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key|secretAccessKey|awsSecretAccessKey)\s*[:=]\s*["']?([A-Za-z0-9\/+=]{40})["']?\b/g,
+        replace: (_match, { strict }, groups) => strict ? "<REDACTED_AWS_SECRET>" : _match.replace(groups[0], "<REDACTED_AWS_SECRET>")
+      },
+      /**
+       * Strict-only broad fallback, but require at least one of / + = inside the 40 chars
+       * to reduce false positives on purely alphanumeric 40-char strings.
+       */
       {
         name: "AWS_SECRET_KEY",
-        pattern: /\b[A-Za-z0-9\/+=]{40}\b/g,
+        pattern: /\b(?=[A-Za-z0-9\/+=]{40}\b)(?=[A-Za-z0-9\/+=]*[\/+=])[A-Za-z0-9\/+=]{40}\b/g,
         replace: (match, { strict }) => strict ? "<REDACTED_AWS_SECRET>" : match
       },
       {
@@ -389,7 +417,7 @@ var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_expo
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
 var rawArgs = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
 function getVersion() {
-  return true ? "0.4.0" : "unknown";
+  return true ? "0.4.1" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
@@ -447,10 +475,8 @@ function renderDryRunReport(matches) {
   process.stdout.write(`Detected ${total} ${label}:
 `);
   for (const { rule, count } of entries) {
-    process.stdout.write(
-      `  ${rule.padEnd(maxLen)}  x${count}
-`
-    );
+    process.stdout.write(`  ${rule.padEnd(maxLen)}  x${count}
+`);
   }
   process.stdout.write("\n");
   process.stdout.write("No output was modified.\n");
@@ -495,7 +521,7 @@ async function main() {
   }
   try {
     const input = await readInput2(useStdin ? void 0 : file);
-    const result = sanitizeLog2(input, { strict });
+    const result = sanitizeLog2(input, { strict, dryRun });
     if (dryRun) {
       renderDryRunReport(result.matches);
       if (failOnDetect && result.matches.length > 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "logshield-cli",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {
@@ -17,6 +17,7 @@
     "build:web": "vite build --outDir dist-web",
     "build:blog": "node scripts/build-blog.js",
     "dev:web": "vite",
+    "typecheck": "tsc -p tsconfig.core.json && tsc -p tsconfig.cli.json --noEmit",
     "pretest": "npm run build",
     "test": "vitest",
     "prepublishOnly": "npm run build"
@@ -27,6 +28,7 @@
     "esbuild": "^0.25.0",
     "postcss": "^8.5.6",
     "tailwindcss": "^3.4.19",
+    "typescript": "^5.9.3",
     "vitest": "^4.0.0"
   }
 }