npm - logshield-cli - Versions diffs - 0.5.0 → 0.6.0 - Mend

logshield-cli 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,23 @@
 # Changelog
+## v0.6.0
+### Added
+- Redact modern platform tokens (GitHub, Slack, npm, PyPI, SendGrid)
+- Redact npmrc auth tokens (`:_authToken=...`)
+- Redact private key blocks (PEM/OpenSSH, including ENCRYPTED PRIVATE KEY)
+### Docs
+- Clarified redaction coverage by mode (Default vs Strict) in README and docs
+- Documented the 200KB input safety cap
+### Notes
+- No CLI flag changes
+- This release may redact more secrets in default mode (intended)
 ## v0.5.0
 ### Security

package/README.md CHANGED Viewed

@@ -46,7 +46,7 @@ After LogShield, the same logs are safe to share.
 Use LogShield whenever logs leave your system:
-- Before pasting logs into CI
+- Before logs end up in CI output or artifacts
 - Before attaching logs to GitHub issues
 - Before sending logs to third-party support
 - Before sharing logs in Slack or email
@@ -72,9 +72,9 @@ Use without --dry-run to apply.
 Notes:
-- The report is printed to stdout
+- The report is printed to **stdout** (human-readable)
 - No log content is echoed
-- Output is deterministic and CI-safe
+- In non-`--dry-run` mode, sanitized logs/JSON are written to stdout; summaries/errors go to stderr
 ```bash
 # Enforce redaction (sanitized output)
@@ -84,10 +84,6 @@ echo "email=test@example.com Authorization: Bearer abcdefghijklmnop" | logshield
 - Prefer `--dry-run` first in CI to verify you are not over-redacting.
 - Then switch to enforced mode once you are satisfied with the preview.
-LogShield is a CLI tool that scans logs and redacts **real secrets**
-(API keys, tokens, credentials) before logs are shared with others,
-AI tools, CI systems, or public channels.
 It is designed to be **predictable, conservative, and safe for production pipelines**.
 ---
@@ -104,24 +100,6 @@ They are deployed to **https://logshield.dev** via Vercel.
 - GitHub: https://github.com/afria85/LogShield
 - Sponsor: https://github.com/sponsors/afria85
-## Local preview (website)
-To preview the website on your computer:
-```bash
-npm run dev
-```
-To preview on a phone/tablet on the same Wi-Fi:
-```bash
-npm run dev:lan
-```
-Then open the printed LAN URL on your device.
----
 ## Why LogShield exists
 Logs are frequently copied into:
@@ -154,7 +132,7 @@ The same input always produces the same output.
 - No environment-dependent behavior
 - Safe for CI, audits, and reproducibility
-### 2. Zero false-positive fatality
+### 2. Prefer precision over recall
 LogShield must **not** redact non-secrets.
@@ -220,6 +198,21 @@ If a file is not provided and input is piped, LogShield automatically reads from
 Note: the npm package ships the CLI only; there is no supported JS API surface.
+### Limits
+- Maximum input size: **200KB** (safety cap). Oversized input exits with code `2`.
+### Windows note
+If `logshield` is not found after a global install, ensure your npm global bin directory is on `PATH`.
+Check it with:
+- `npm prefix -g` (add this directory to PATH)
+Restart your terminal after updating PATH.
 ---
 ## CLI Flags
@@ -264,7 +257,7 @@ logshield scan app.log
 cat app.log | logshield scan
 ```
-`--stdin` is optional; piped input is auto-detected.
+`--stdin` is optional; piped input is auto-detected. Use `--stdin` to force reading from stdin in TTY/paste workflows.
 ---
@@ -333,7 +326,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 22
       - run: npm install -g logshield-cli
@@ -425,16 +418,32 @@ Notes:
 ## What gets redacted
-Depending on rules and mode:
+LogShield uses a fixed, deterministic rule set. The exact coverage depends on the selected mode.
+### Default mode (recommended)
-- Passwords (supports quoted and JSON forms)
-- API key headers
-- Authorization bearer tokens
+- Passwords (quoted and JSON forms)
+- API key headers (e.g. `x-api-key: ...`)
+- API keys (e.g. `api_key=...`, `api-key: ...`)
+- Authorization Bearer tokens
 - JWTs
+- GitHub tokens (`ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_`, and `github_pat_...`)
+- Slack tokens (`xox*` and `xapp-...`)
+- npm access tokens (`npm_...`)
+- npmrc auth tokens (`:_authToken=...`)
+- PyPI API tokens (`pypi-...`)
+- SendGrid API keys (`SG.<...>.<...>`)
+- Private key blocks (PEM/OpenSSH)
 - Emails
 - URLs with embedded credentials
-- Database credentials (including redis:// and mssql://)
-- Cloud provider credentials
+- Database URL credentials (including `redis://...` and `mssql://...`)
+- Cloud credentials in explicit labeled forms (e.g. `AWS_SECRET_ACCESS_KEY=...`)
+### Strict mode (adds)
+- Stripe secret keys (e.g. `sk_live_...`, `sk_test_...`)
+- AWS access keys (`AKIA...`)
+- AWS secret keys (strict fallback)
 - Credit card numbers (Luhn-validated)
 ---
@@ -460,7 +469,7 @@ Depending on rules and mode:
 LogShield guarantees:
 - Deterministic output
-- Stable behavior within the current minor line **v0.5.x**
+- Stable behavior within the current minor line **v0.6.x**
 - No runtime dependencies
 - Snapshot-tested and contract-tested
 - No telemetry
@@ -490,8 +499,7 @@ It is a **last-line safety net**, not a primary defense.
 ## License
-Apache-2.0
----
+Apache-2.0 &mdash; see `LICENSE`.
 ## Contributing

package/dist/cli/index.cjs CHANGED Viewed

@@ -157,6 +157,66 @@ var tokenRules;
 var init_tokens = __esm({
   "src/rules/tokens.ts"() {
     tokenRules = [
+      // Multi-line private key blocks (PEM/OpenSSH). Run early to avoid leaking
+      // partial material through other rules.
+      {
+        name: "PRIVATE_KEY_BLOCK",
+        pattern: /-----BEGIN\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----/gi,
+        replace: () => "<REDACTED_PRIVATE_KEY_BLOCK>"
+      },
+      {
+        name: "OPENSSH_PRIVATE_KEY_BLOCK",
+        pattern: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----/g,
+        replace: () => "<REDACTED_PRIVATE_KEY_BLOCK>"
+      },
+      {
+        name: "PRIVATE_KEY_HEADER",
+        pattern: /-----BEGIN\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----|-----BEGIN OPENSSH PRIVATE KEY-----/gi,
+        replace: () => "<REDACTED_PRIVATE_KEY_HEADER>"
+      },
+      // Modern platform tokens (prefix-anchored, low false-positive).
+      {
+        name: "GITHUB_TOKEN",
+        pattern: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,255}\b/g,
+        replace: () => "<REDACTED_GITHUB_TOKEN>"
+      },
+      {
+        name: "GITHUB_FINE_GRAINED_TOKEN",
+        pattern: /\bgithub_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59}\b/g,
+        replace: () => "<REDACTED_GITHUB_TOKEN>"
+      },
+      {
+        name: "SLACK_TOKEN",
+        pattern: /\bxox(?:b|p|a|s|r)-[A-Za-z0-9-]{10,250}\b/g,
+        replace: () => "<REDACTED_SLACK_TOKEN>"
+      },
+      {
+        name: "SLACK_APP_TOKEN",
+        pattern: /\bxapp-\d-[A-Za-z0-9-]{10,250}\b/g,
+        replace: () => "<REDACTED_SLACK_TOKEN>"
+      },
+      {
+        name: "NPM_TOKEN",
+        pattern: /\bnpm_[A-Za-z0-9]{36}\b/g,
+        replace: () => "<REDACTED_NPM_TOKEN>"
+      },
+      {
+        name: "NPMRC_AUTH_TOKEN",
+        // .npmrc-style auth token, commonly seen as:
+        //   //registry.npmjs.org/:_authToken=...
+        pattern: /(:_authToken\s*=\s*)([^\s\r\n]+)/gi,
+        replace: (_match, _ctx, groups) => `${groups[0]}<REDACTED_NPM_TOKEN>`
+      },
+      {
+        name: "PYPI_TOKEN",
+        pattern: /\bpypi-[A-Za-z0-9_-]{85,200}\b/g,
+        replace: () => "<REDACTED_PYPI_TOKEN>"
+      },
+      {
+        name: "SENDGRID_API_KEY",
+        pattern: /\bSG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}\b/g,
+        replace: () => "<REDACTED_SENDGRID_KEY>"
+      },
       {
         name: "JWT",
         pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
@@ -535,7 +595,7 @@ var ALLOWED_FLAGS = /* @__PURE__ */ new Set([
   "--help"
 ]);
 function getVersion() {
-  return true ? "0.5.0" : "unknown";
+  return true ? "0.6.0" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "logshield-cli",
-  "version": "0.5.0",
+  "version": "0.6.0",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {