react-code-smell-detector 1.1.1 → 1.2.0

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "react-code-smell-detector",
-  "version": "1.1.1",
-  "description": "Detect code smells in React projects - useEffect overuse, prop drilling, large components, and more",
+  "version": "1.2.0",
+  "description": "Detect code smells in React projects - useEffect overuse, prop drilling, large components, security issues, accessibility, and more",
   "main": "dist/index.js",
   "bin": {
     "react-smell": "dist/cli.js"

package/src/analyzer.ts

@@ -18,6 +18,9 @@ import {
   detectNodejsIssues,
   detectJavascriptIssues,
   detectTypescriptIssues,
+  detectDebugStatements,
+  detectSecurityIssues,
+  detectAccessibilityIssues,
 } from './detectors/index.js';
 import {
   AnalysisResult,
@@ -123,19 +126,58 @@ function analyzeFile(parseResult: ParseResult, filePath: string, config: Detecto
     smells.push(...detectNodejsIssues(component, filePath, sourceCode, config, imports));
     smells.push(...detectJavascriptIssues(component, filePath, sourceCode, config));
     smells.push(...detectTypescriptIssues(component, filePath, sourceCode, config));
+    // Debug, Security, Accessibility
+    smells.push(...detectDebugStatements(component, filePath, sourceCode, config));
+    smells.push(...detectSecurityIssues(component, filePath, sourceCode, config));
+    smells.push(...detectAccessibilityIssues(component, filePath, sourceCode, config));
   });
 
   // Run cross-component analysis
   smells.push(...analyzePropDrillingDepth(components, filePath, sourceCode, config));
 
+  // Filter out smells with @smell-ignore comments
+  const filteredSmells = filterIgnoredSmells(smells, sourceCode);
+
   return {
     file: filePath,
     components: componentInfos,
-    smells,
+    smells: filteredSmells,
     imports,
   };
 }
 
+/**
+ * Filter out smells that have @smell-ignore comment on the preceding line
+ * Supports: // @smell-ignore, block comments with @smell-ignore, @smell-ignore [type]
+ */
+function filterIgnoredSmells(smells: CodeSmell[], sourceCode: string): CodeSmell[] {
+  const lines = sourceCode.split('\n');
+  
+  return smells.filter(smell => {
+    if (smell.line <= 1) return true;
+    
+    // Check the line before and the same line for ignore comments
+    const lineIndex = smell.line - 1; // Convert to 0-indexed
+    const prevLine = lines[lineIndex - 1]?.trim() || '';
+    const currentLine = lines[lineIndex]?.trim() || '';
+    
+    // Check for @smell-ignore patterns
+    const ignorePatterns = [
+      /@smell-ignore\s*$/,                           // @smell-ignore (ignore all)
+      /@smell-ignore\s+\*/,                          // @smell-ignore * (ignore all)
+      new RegExp(`@smell-ignore\\s+${smell.type}`),  // @smell-ignore [specific-type]
+    ];
+    
+    for (const pattern of ignorePatterns) {
+      if (pattern.test(prevLine) || pattern.test(currentLine)) {
+        return false; // Filter out this smell
+      }
+    }
+    
+    return true; // Keep this smell
+  });
+}
+
 function calculateSummary(files: FileAnalysis[]): AnalysisSummary {
   const smellsByType: Record<SmellType, number> = {
     'useEffect-overuse': 0,
@@ -176,6 +218,19 @@ function calculateSummary(files: FileAnalysis[]): AnalysisSummary {
     'ts-missing-return-type': 0,
     'ts-non-null-assertion': 0,
     'ts-type-assertion': 0,
+    // Debug statements
+    'debug-statement': 0,
+    'todo-comment': 0,
+    // Security
+    'security-xss': 0,
+    'security-eval': 0,
+    'security-secrets': 0,
+    // Accessibility
+    'a11y-missing-alt': 0,
+    'a11y-missing-label': 0,
+    'a11y-interactive-role': 0,
+    'a11y-keyboard': 0,
+    'a11y-semantic': 0,
   };
 
   const smellsBySeverity: Record<SmellSeverity, number> = {

package/src/cli.ts

@@ -6,6 +6,7 @@ import ora from 'ora';
 import path from 'path';
 import { analyzeProject, DEFAULT_CONFIG } from './analyzer.js';
 import { reportResults } from './reporter.js';
+import { generateHTMLReport } from './htmlReporter.js';
 import fs from 'fs/promises';
 
 const program = new Command();
@@ -13,11 +14,13 @@ const program = new Command();
 program
   .name('react-smell')
   .description('Detect code smells in React projects')
-  .version('1.0.0')
+  .version('1.2.0')
   .argument('[directory]', 'Directory to analyze', '.')
-  .option('-f, --format <format>', 'Output format: console, json, markdown', 'console')
+  .option('-f, --format <format>', 'Output format: console, json, markdown, html', 'console')
   .option('-s, --snippets', 'Show code snippets in output', false)
   .option('-c, --config <file>', 'Path to config file')
+  .option('--ci', 'CI mode: exit with code 1 if any issues found')
+  .option('--fail-on <severity>', 'Exit with code 1 if issues of this severity or higher (error, warning, info)', 'error')
   .option('--max-effects <number>', 'Max useEffects per component', parseInt)
   .option('--max-props <number>', 'Max props before warning', parseInt)
   .option('--max-lines <number>', 'Max lines per component', parseInt)
@@ -72,11 +75,20 @@ program
 
       spinner.stop();
 
-      const output = reportResults(result, {
-        format: options.format,
-        showCodeSnippets: options.snippets,
-        rootDir,
-      });
+      let output: string;
+      if (options.format === 'html') {
+        output = generateHTMLReport(result, rootDir);
+        // Auto-set output file for HTML if not specified
+        if (!options.output) {
+          options.output = 'code-smell-report.html';
+        }
+      } else {
+        output = reportResults(result, {
+          format: options.format,
+          showCodeSnippets: options.snippets,
+          rootDir,
+        });
+      }
 
       if (options.output) {
         const outputPath = path.resolve(process.cwd(), options.output);
@@ -86,8 +98,30 @@ program
         console.log(output);
       }
 
-      // Exit with error code if there are errors
-      if (result.summary.smellsBySeverity.error > 0) {
+      // CI/CD exit code handling
+      const { smellsBySeverity } = result.summary;
+      let shouldFail = false;
+
+      if (options.ci) {
+        // CI mode: fail on any issues
+        shouldFail = result.summary.totalSmells > 0;
+      } else {
+        // Check fail-on threshold
+        switch (options.failOn) {
+          case 'info':
+            shouldFail = smellsBySeverity.info > 0 || smellsBySeverity.warning > 0 || smellsBySeverity.error > 0;
+            break;
+          case 'warning':
+            shouldFail = smellsBySeverity.warning > 0 || smellsBySeverity.error > 0;
+            break;
+          case 'error':
+          default:
+            shouldFail = smellsBySeverity.error > 0;
+            break;
+        }
+      }
+
+      if (shouldFail) {
         process.exit(1);
       }
     } catch (error) {

package/src/detectors/accessibility.ts

@@ -0,0 +1,212 @@
+import * as t from '@babel/types';
+import { ParsedComponent, getCodeSnippet } from '../parser/index.js';
+import { CodeSmell, DetectorConfig, DEFAULT_CONFIG } from '../types/index.js';
+
+/**
+ * Detects accessibility (a11y) issues:
+ * - Images without alt text
+ * - Form inputs without labels
+ * - Missing ARIA attributes on interactive elements
+ * - Click handlers without keyboard support
+ * - Improper heading hierarchy
+ */
+export function detectAccessibilityIssues(
+  component: ParsedComponent,
+  filePath: string,
+  sourceCode: string,
+  config: DetectorConfig = DEFAULT_CONFIG
+): CodeSmell[] {
+  if (!config.checkAccessibility) return [];
+
+  const smells: CodeSmell[] = [];
+
+  component.path.traverse({
+    JSXOpeningElement(path) {
+      if (!t.isJSXIdentifier(path.node.name)) return;
+      
+      const elementName = path.node.name.name;
+      const attributes = path.node.attributes;
+      const loc = path.node.loc;
+      const line = loc?.start.line || 0;
+
+      // Helper to check if attribute exists
+      const hasAttr = (name: string): boolean => {
+        return attributes.some(attr => {
+          if (t.isJSXAttribute(attr) && t.isJSXIdentifier(attr.name)) {
+            return attr.name.name === name;
+          }
+          // Handle spread attributes - assume they might contain the attribute
+          return t.isJSXSpreadAttribute(attr);
+        });
+      };
+
+      // Helper to get attribute value
+      const getAttrValue = (name: string): string | null => {
+        for (const attr of attributes) {
+          if (t.isJSXAttribute(attr) && t.isJSXIdentifier(attr.name) && attr.name.name === name) {
+            if (t.isStringLiteral(attr.value)) {
+              return attr.value.value;
+            }
+          }
+        }
+        return null;
+      };
+
+      // Check for images without alt text
+      if (elementName === 'img') {
+        if (!hasAttr('alt')) {
+          smells.push({
+            type: 'a11y-missing-alt',
+            severity: 'error',
+            message: `<img> missing alt attribute in "${component.name}"`,
+            file: filePath,
+            line,
+            column: loc?.start.column || 0,
+            suggestion: 'Add alt="description" for content images, or alt="" for decorative images',
+            codeSnippet: getCodeSnippet(sourceCode, line),
+          });
+        } else {
+          const altValue = getAttrValue('alt');
+          if (altValue !== null && altValue.toLowerCase().includes('image')) {
+            smells.push({
+              type: 'a11y-missing-alt',
+              severity: 'info',
+              message: `<img> alt text shouldn't contain "image" - it's redundant`,
+              file: filePath,
+              line,
+              column: loc?.start.column || 0,
+              suggestion: 'Describe what the image shows, not that it is an image',
+              codeSnippet: getCodeSnippet(sourceCode, line),
+            });
+          }
+        }
+      }
+
+      // Check for form inputs without associated labels
+      if (elementName === 'input' || elementName === 'textarea' || elementName === 'select') {
+        const inputType = getAttrValue('type') || 'text';
+        
+        // Skip hidden inputs
+        if (inputType === 'hidden') return;
+        
+        const hasLabel = hasAttr('aria-label') || 
+                        hasAttr('aria-labelledby') || 
+                        hasAttr('id'); // Assume id might be linked to a label
+        
+        if (!hasLabel) {
+          smells.push({
+            type: 'a11y-missing-label',
+            severity: 'warning',
+            message: `<${elementName}> without accessible label in "${component.name}"`,
+            file: filePath,
+            line,
+            column: loc?.start.column || 0,
+            suggestion: 'Add aria-label, aria-labelledby, or associate with a <label> element',
+            codeSnippet: getCodeSnippet(sourceCode, line),
+          });
+        }
+      }
+
+      // Check for interactive divs/spans without proper role and keyboard support
+      if (elementName === 'div' || elementName === 'span') {
+        const hasOnClick = hasAttr('onClick');
+        const hasRole = hasAttr('role');
+        const hasTabIndex = hasAttr('tabIndex');
+        const hasKeyboardHandler = hasAttr('onKeyDown') || hasAttr('onKeyUp') || hasAttr('onKeyPress');
+
+        if (hasOnClick) {
+          if (!hasRole) {
+            smells.push({
+              type: 'a11y-interactive-role',
+              severity: 'warning',
+              message: `Clickable <${elementName}> without role attribute in "${component.name}"`,
+              file: filePath,
+              line,
+              column: loc?.start.column || 0,
+              suggestion: 'Add role="button" or use a <button> element instead',
+              codeSnippet: getCodeSnippet(sourceCode, line),
+            });
+          }
+
+          if (!hasTabIndex) {
+            smells.push({
+              type: 'a11y-interactive-role',
+              severity: 'warning',
+              message: `Clickable <${elementName}> not focusable in "${component.name}"`,
+              file: filePath,
+              line,
+              column: loc?.start.column || 0,
+              suggestion: 'Add tabIndex={0} to make the element focusable',
+              codeSnippet: getCodeSnippet(sourceCode, line),
+            });
+          }
+
+          if (!hasKeyboardHandler) {
+            smells.push({
+              type: 'a11y-keyboard',
+              severity: 'info',
+              message: `Clickable <${elementName}> without keyboard handler in "${component.name}"`,
+              file: filePath,
+              line,
+              column: loc?.start.column || 0,
+              suggestion: 'Add onKeyDown to handle Enter/Space for keyboard users',
+              codeSnippet: getCodeSnippet(sourceCode, line),
+            });
+          }
+        }
+      }
+
+      // Check for anchor tags without href (should be buttons)
+      if (elementName === 'a') {
+        if (!hasAttr('href')) {
+          smells.push({
+            type: 'a11y-semantic',
+            severity: 'warning',
+            message: `<a> without href should be a <button> in "${component.name}"`,
+            file: filePath,
+            line,
+            column: loc?.start.column || 0,
+            suggestion: 'Use <button> for actions and <a href="..."> for navigation',
+            codeSnippet: getCodeSnippet(sourceCode, line),
+          });
+        }
+      }
+
+      // Check for proper button usage
+      if (elementName === 'button') {
+        if (!hasAttr('type')) {
+          smells.push({
+            type: 'a11y-semantic',
+            severity: 'info',
+            message: `<button> should have explicit type attribute`,
+            file: filePath,
+            line,
+            column: loc?.start.column || 0,
+            suggestion: 'Add type="button" or type="submit" to clarify button behavior',
+            codeSnippet: getCodeSnippet(sourceCode, line),
+          });
+        }
+      }
+
+      // Check for icons that might need labels
+      if (elementName === 'svg' || elementName === 'Icon' || elementName.endsWith('Icon')) {
+        const hasAriaLabel = hasAttr('aria-label') || hasAttr('aria-hidden') || hasAttr('title');
+        
+        if (!hasAriaLabel) {
+          smells.push({
+            type: 'a11y-missing-label',
+            severity: 'info',
+            message: `Icon/SVG may need aria-label or aria-hidden in "${component.name}"`,
+            file: filePath,
+            line,
+            column: loc?.start.column || 0,
+            suggestion: 'Add aria-label for meaningful icons, or aria-hidden="true" for decorative ones',
+            codeSnippet: getCodeSnippet(sourceCode, line),
+          });
+        }
+      }
+    },
+  });
+
+  return smells;
+}

package/src/detectors/debug.ts

@@ -0,0 +1,103 @@
+import * as t from '@babel/types';
+import { ParsedComponent, getCodeSnippet } from '../parser/index.js';
+import { CodeSmell, DetectorConfig, DEFAULT_CONFIG } from '../types/index.js';
+
+/**
+ * Detects debug statements that should be removed:
+ * - console.log/warn/error/debug
+ * - debugger statements
+ * - TODO/FIXME/HACK comments (detected via source code)
+ */
+export function detectDebugStatements(
+  component: ParsedComponent,
+  filePath: string,
+  sourceCode: string,
+  config: DetectorConfig = DEFAULT_CONFIG
+): CodeSmell[] {
+  if (!config.checkDebugStatements) return [];
+
+  const smells: CodeSmell[] = [];
+  const reportedLines = new Set<number>();
+
+  // Detect console.* calls
+  component.path.traverse({
+    CallExpression(path) {
+      const { callee } = path.node;
+      
+      if (t.isMemberExpression(callee) && 
+          t.isIdentifier(callee.object) && 
+          callee.object.name === 'console') {
+        
+        const method = t.isIdentifier(callee.property) ? callee.property.name : '';
+        const debugMethods = ['log', 'warn', 'error', 'debug', 'info', 'trace', 'dir', 'table'];
+        
+        if (debugMethods.includes(method)) {
+          const loc = path.node.loc;
+          const line = loc?.start.line || 0;
+          
+          if (!reportedLines.has(line)) {
+            reportedLines.add(line);
+            smells.push({
+              type: 'debug-statement',
+              severity: 'warning',
+              message: `console.${method}() should be removed before production`,
+              file: filePath,
+              line,
+              column: loc?.start.column || 0,
+              suggestion: 'Remove console statement or use a logging library with environment-based filtering',
+              codeSnippet: getCodeSnippet(sourceCode, line),
+            });
+          }
+        }
+      }
+    },
+
+    // Detect debugger statements
+    DebuggerStatement(path) {
+      const loc = path.node.loc;
+      smells.push({
+        type: 'debug-statement',
+        severity: 'error',
+        message: 'debugger statement must be removed before production',
+        file: filePath,
+        line: loc?.start.line || 0,
+        column: loc?.start.column || 0,
+        suggestion: 'Remove the debugger statement',
+        codeSnippet: getCodeSnippet(sourceCode, loc?.start.line || 0),
+      });
+    },
+  });
+
+  // Detect TODO/FIXME/HACK comments in source
+  const todoPatterns = [
+    { pattern: /\/\/\s*(TODO|FIXME|HACK|XXX|BUG)[:.\s]/gi, type: 'todo-comment' as const },
+    { pattern: /\/\*\s*(TODO|FIXME|HACK|XXX|BUG)[:.\s]/gi, type: 'todo-comment' as const },
+  ];
+
+  const lines = sourceCode.split('\n');
+  lines.forEach((line, index) => {
+    const lineNum = index + 1;
+    
+    // Only check within component bounds
+    if (lineNum < component.startLine || lineNum > component.endLine) return;
+    
+    todoPatterns.forEach(({ pattern }) => {
+      const match = line.match(pattern);
+      if (match) {
+        const tag = match[0].replace(/[/\*\s:]/g, '').toUpperCase();
+        smells.push({
+          type: 'todo-comment',
+          severity: 'info',
+          message: `${tag} comment found in "${component.name}"`,
+          file: filePath,
+          line: lineNum,
+          column: 0,
+          suggestion: `Address the ${tag} or create a ticket to track it`,
+          codeSnippet: getCodeSnippet(sourceCode, lineNum),
+        });
+      }
+    });
+  });
+
+  return smells;
+}

package/src/detectors/index.ts

@@ -14,3 +14,7 @@ export { detectReactNativeIssues } from './reactNative.js';
 export { detectNodejsIssues } from './nodejs.js';
 export { detectJavascriptIssues } from './javascript.js';
 export { detectTypescriptIssues } from './typescript.js';
+// Debug, Security, Accessibility
+export { detectDebugStatements } from './debug.js';
+export { detectSecurityIssues } from './security.js';
+export { detectAccessibilityIssues } from './accessibility.js';

package/src/detectors/security.ts

@@ -0,0 +1,179 @@
+import * as t from '@babel/types';
+import { ParsedComponent, getCodeSnippet } from '../parser/index.js';
+import { CodeSmell, DetectorConfig, DEFAULT_CONFIG } from '../types/index.js';
+
+/**
+ * Detects security vulnerabilities:
+ * - dangerouslySetInnerHTML usage
+ * - eval() and Function() constructor
+ * - innerHTML assignments
+ * - Unsafe URLs (javascript:, data:)
+ * - Exposed secrets/API keys
+ */
+export function detectSecurityIssues(
+  component: ParsedComponent,
+  filePath: string,
+  sourceCode: string,
+  config: DetectorConfig = DEFAULT_CONFIG
+): CodeSmell[] {
+  if (!config.checkSecurity) return [];
+
+  const smells: CodeSmell[] = [];
+
+  // Detect dangerouslySetInnerHTML
+  component.path.traverse({
+    JSXAttribute(path) {
+      if (t.isJSXIdentifier(path.node.name) && 
+          path.node.name.name === 'dangerouslySetInnerHTML') {
+        const loc = path.node.loc;
+        smells.push({
+          type: 'security-xss',
+          severity: 'error',
+          message: `dangerouslySetInnerHTML is a security risk in "${component.name}"`,
+          file: filePath,
+          line: loc?.start.line || 0,
+          column: loc?.start.column || 0,
+          suggestion: 'Sanitize HTML with DOMPurify or use a safe alternative like converting to React elements',
+          codeSnippet: getCodeSnippet(sourceCode, loc?.start.line || 0),
+        });
+      }
+    },
+  });
+
+  // Detect eval() and Function() constructor
+  component.path.traverse({
+    CallExpression(path) {
+      const { callee } = path.node;
+      
+      // eval()
+      if (t.isIdentifier(callee) && callee.name === 'eval') {
+        const loc = path.node.loc;
+        smells.push({
+          type: 'security-eval',
+          severity: 'error',
+          message: `eval() is a critical security risk in "${component.name}"`,
+          file: filePath,
+          line: loc?.start.line || 0,
+          column: loc?.start.column || 0,
+          suggestion: 'Never use eval(). Parse JSON with JSON.parse() or restructure logic to avoid dynamic code execution.',
+          codeSnippet: getCodeSnippet(sourceCode, loc?.start.line || 0),
+        });
+      }
+    },
+    
+    // new Function()
+    NewExpression(path) {
+      const { callee } = path.node;
+      if (t.isIdentifier(callee) && callee.name === 'Function') {
+        const loc = path.node.loc;
+        smells.push({
+          type: 'security-eval',
+          severity: 'error',
+          message: `new Function() is equivalent to eval() and is a security risk`,
+          file: filePath,
+          line: loc?.start.line || 0,
+          column: loc?.start.column || 0,
+          suggestion: 'Avoid creating functions from strings. Restructure to use static function definitions.',
+          codeSnippet: getCodeSnippet(sourceCode, loc?.start.line || 0),
+        });
+      }
+    },
+  });
+
+  // Detect innerHTML assignments
+  component.path.traverse({
+    AssignmentExpression(path) {
+      const { left } = path.node;
+      
+      if (t.isMemberExpression(left) && t.isIdentifier(left.property)) {
+        if (left.property.name === 'innerHTML' || left.property.name === 'outerHTML') {
+          const loc = path.node.loc;
+          smells.push({
+            type: 'security-xss',
+            severity: 'warning',
+            message: `Direct ${left.property.name} assignment can lead to XSS`,
+            file: filePath,
+            line: loc?.start.line || 0,
+            column: loc?.start.column || 0,
+            suggestion: 'Use textContent for plain text, or sanitize HTML with DOMPurify',
+            codeSnippet: getCodeSnippet(sourceCode, loc?.start.line || 0),
+          });
+        }
+      }
+    },
+  });
+
+  // Detect unsafe URLs (javascript:, data:)
+  component.path.traverse({
+    JSXAttribute(path) {
+      if (!t.isJSXIdentifier(path.node.name)) return;
+      
+      const propName = path.node.name.name;
+      if (!['href', 'src', 'action'].includes(propName)) return;
+      
+      const value = path.node.value;
+      if (t.isStringLiteral(value)) {
+        const url = value.value.toLowerCase().trim();
+        
+        if (url.startsWith('javascript:')) {
+          const loc = path.node.loc;
+          smells.push({
+            type: 'security-xss',
+            severity: 'error',
+            message: `javascript: URLs are a security risk`,
+            file: filePath,
+            line: loc?.start.line || 0,
+            column: loc?.start.column || 0,
+            suggestion: 'Use onClick handlers instead of javascript: URLs',
+            codeSnippet: getCodeSnippet(sourceCode, loc?.start.line || 0),
+          });
+        }
+        
+        if (url.startsWith('data:') && propName === 'href') {
+          const loc = path.node.loc;
+          smells.push({
+            type: 'security-xss',
+            severity: 'warning',
+            message: `data: URLs in href can be a security risk`,
+            file: filePath,
+            line: loc?.start.line || 0,
+            column: loc?.start.column || 0,
+            suggestion: 'Validate and sanitize data URLs, or use blob URLs instead',
+            codeSnippet: getCodeSnippet(sourceCode, loc?.start.line || 0),
+          });
+        }
+      }
+    },
+  });
+
+  // Detect potential exposed secrets
+  const secretPatterns = [
+    { pattern: /['"](?:sk[-_]live|pk[-_]live|api[-_]?key|secret[-_]?key|access[-_]?token|auth[-_]?token)['"]\s*[:=]\s*['"][a-zA-Z0-9-_]{20,}/i, name: 'API key' },
+    { pattern: /['"](?:ghp|gho|ghu|ghs|ghr)_[a-zA-Z0-9]{36,}['"]/i, name: 'GitHub token' },
+    { pattern: /['"]AKIA[A-Z0-9]{16}['"]/i, name: 'AWS access key' },
+    { pattern: /password\s*[:=]\s*['"][^'"]{8,}['"]/i, name: 'Hardcoded password' },
+  ];
+
+  const lines = sourceCode.split('\n');
+  lines.forEach((line, index) => {
+    const lineNum = index + 1;
+    if (lineNum < component.startLine || lineNum > component.endLine) return;
+    
+    secretPatterns.forEach(({ pattern, name }) => {
+      if (pattern.test(line)) {
+        smells.push({
+          type: 'security-secrets',
+          severity: 'error',
+          message: `Potential ${name} exposed in code`,
+          file: filePath,
+          line: lineNum,
+          column: 0,
+          suggestion: 'Move secrets to environment variables (.env) and never commit them to version control',
+          codeSnippet: getCodeSnippet(sourceCode, lineNum),
+        });
+      }
+    });
+  });
+
+  return smells;
+}