shercheck 0.1.0 โ†’ 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +188 -0
  3. package/bin/cli.js +8 -5
  4. package/package.json +1 -1
package/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 NightWiing
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
package/README.md ADDED
@@ -0,0 +1,188 @@
1
+ # ๐Ÿ” shercheck
2
+
3
+ **AI-aware security scanner** โ€” finds exposed secrets in your codebase and checks whether your AI coding agent (Cursor, Copilot, Windsurf, Claude Code, etc.) can actually read your sensitive files.
4
+
5
+ Most secret scanners stop at "you have a `.env` file." shercheck goes one step further: it checks whether that file is actually **blocked from AI agents** via `.cursorignore`, `.aiexclude`, `.clineignore`, Claude Code's deny rules, and more โ€” and tells you exactly what's missing.
6
+
7
+ ## Why
8
+
9
+ AI coding assistants can read almost any file in your project by default. If your `.env`, private keys, or credentials aren't explicitly excluded, your AI agent (and anything it shares context with) can see them. shercheck audits this blind spot in seconds.
10
+
11
+ ## Features
12
+
13
+ - ๐Ÿ”Ž **Sensitive file detection** โ€” flags `.env` files, private keys (`.pem`, `.key`, `id_rsa`), cloud credentials (`.aws/credentials`, `.npmrc`), keystores, and more.
14
+ - ๐Ÿ”‘ **Secret scanning** โ€” greps file contents for real leaked credentials: AWS keys, GitHub tokens, Stripe keys, Supabase keys, Anthropic keys, SendGrid keys, private key blocks, JWTs, and generic hardcoded secrets.
15
+ - ๐Ÿค– **AI exposure check** โ€” cross-references every sensitive file against the ignore files of 9+ AI tools (Cursor, Windsurf, Cline, Gemini, Codeium, Copilot, Claude Code, and generic `.aiignore`) to see if it's actually protected.
16
+ - ๐Ÿ›ก๏ธ **Masked previews** โ€” secrets are shown masked (e.g. `AKIA********MNOP`) so reports are safe to share/paste.
17
+ - ๐Ÿ“Š **Readable or machine output** โ€” pretty colored terminal report by default, or `--json` for scripting.
18
+ - ๐Ÿšฆ **CI-friendly** โ€” `--ci` flag exits with code `1` when exposed secrets are found, so you can fail a pipeline on real risk.
19
+
20
+ ## Installation
21
+
22
+ Run it directly without installing anything (recommended):
23
+
24
+ ```bash
25
+ npx shercheck
26
+ ```
27
+
28
+ Or install globally:
29
+
30
+ ```bash
31
+ npm install -g shercheck
32
+ ```
33
+
34
+ Or add it as a dev dependency to run via npm scripts:
35
+
36
+ ```bash
37
+ npm install --save-dev shercheck
38
+ ```
39
+
40
+ ## Usage
41
+
42
+ Scan the current directory:
43
+
44
+ ```bash
45
+ npx shercheck
46
+ ```
47
+
48
+ Scan a specific project path:
49
+
50
+ ```bash
51
+ npx shercheck ./path/to/project
52
+ ```
53
+
54
+ Output JSON (for scripting or piping into other tools):
55
+
56
+ ```bash
57
+ npx shercheck --json
58
+ ```
59
+
60
+ Fail CI when a sensitive file with no AI-ignore coverage is found:
61
+
62
+ ```bash
63
+ npx shercheck --ci
64
+ ```
65
+
66
+ ### Options
67
+
68
+ | Flag | Description |
69
+ | --- | --- |
70
+ | `[path]` | Project directory to scan (defaults to `.`) |
71
+ | `--json` | Output results as JSON instead of a colored report |
72
+ | `--ci` | Exit with code `1` if any fully-exposed findings are detected |
73
+ | `-V, --version` | Print the version number |
74
+ | `-h, --help` | Print usage help |
75
+
76
+ ## Example output
77
+
78
+ ```
79
+ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
80
+ ๐Ÿ” SHERCHECK ยท AI-aware security scanner
81
+ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
82
+
83
+ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ SUMMARY โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
84
+
85
+ Sensitive files found 1
86
+ Secrets in content 1
87
+ Files exposed to AI agents 1
88
+
89
+ HIGH 1 file(s)
90
+
91
+ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ SECRETS DETECTED โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
92
+
93
+ HIGH .env
94
+ Line 1 ยท AWS Access Key
95
+ Preview: SECRET_KEY=AKIA********MNOP
96
+
97
+ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ AI EXPOSURE โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
98
+
99
+ HIGH .env
100
+ Status fully exposed has secret
101
+
102
+ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ RECOMMENDATIONS โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
103
+
104
+ โœ– No AI ignore files found in this project
105
+
106
+ โ†’ Create a .aiignore or .cursorignore and add:
107
+ .env
108
+
109
+ โš  Rotate these credentials immediately:
110
+ .env
111
+
112
+ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
113
+ โœ– Issues found โ€” review recommendations above
114
+ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
115
+ ```
116
+
117
+ ## What it checks
118
+
119
+ ### Sensitive files
120
+
121
+ shercheck flags files matching common sensitive-file patterns, including:
122
+
123
+ - `.env`, `.env.*` (any environment file)
124
+ - `*.pem`, `*.key`, `id_rsa*`, `id_ed25519*` (private keys)
125
+ - `*.p12`, `*.pfx`, `*.keystore` (certificates/keystores)
126
+ - `credentials.json`, `secrets.*`
127
+ - `.npmrc`
128
+ - `.aws/credentials`, `.aws/config`
129
+ - Supabase's `supabase/.temp/**` directory
130
+
131
+ ### Secret patterns
132
+
133
+ File contents (for common source/config file types under 500 KB, skipping binaries) are scanned for:
134
+
135
+ - AWS Access Keys
136
+ - GitHub Tokens
137
+ - Stripe Live/Test Keys
138
+ - Supabase Keys
139
+ - Anthropic API Keys
140
+ - SendGrid Keys
141
+ - Private key blocks (`-----BEGIN ... PRIVATE KEY-----`)
142
+ - Generic JWTs
143
+ - Hardcoded `SECRET` / `API_KEY` / `PRIVATE_KEY` / `AUTH_TOKEN` assignments
144
+
145
+ Matches inside comments are skipped, and all detected secrets are masked in the report.
146
+
147
+ ### AI exposure
148
+
149
+ For every sensitive file found, shercheck checks whether it's covered by any of these AI-tool ignore mechanisms:
150
+
151
+ | Tool | Ignore file |
152
+ | --- | --- |
153
+ | Cursor | `.cursorignore`, `.cursorindexingignore` |
154
+ | Windsurf | `.windsurfignore` |
155
+ | Cline | `.clineignore` |
156
+ | Gemini | `.aiexclude`, `.geminiignore` |
157
+ | Codeium | `.codeiumignore` |
158
+ | Copilot | `.copilotignore` |
159
+ | Claude Code | `.claude/settings.json` (`permissions.deny` rules) |
160
+ | Generic | `.aiignore` |
161
+
162
+ A file is marked **fully exposed** if none of the detected AI tools' ignore rules cover it โ€” meaning an AI agent working in that project could read it.
163
+
164
+ ## Using in CI
165
+
166
+ Add shercheck to your pipeline to catch exposed secrets before they ship:
167
+
168
+ ```yaml
169
+ # .github/workflows/security.yml
170
+ name: Security check
171
+ on: [push, pull_request]
172
+ jobs:
173
+ shercheck:
174
+ runs-on: ubuntu-latest
175
+ steps:
176
+ - uses: actions/checkout@v4
177
+ - run: npx shercheck --ci
178
+ ```
179
+
180
+ The command exits with code `1` if any sensitive file is fully exposed to an AI agent, failing the build.
181
+
182
+ ## Requirements
183
+
184
+ - Node.js >= 18
185
+
186
+ ## License
187
+
188
+ MIT
package/bin/cli.js CHANGED
@@ -1,24 +1,27 @@
1
1
  #!/usr/bin/env node
2
2
  import { Command } from "commander";
3
3
  import path from "node:path";
4
+ import fs from "node:fs/promises";
5
+ import { fileURLToPath } from "node:url";
4
6
  import { scan } from "../src/scanner.js";
5
7
  import { findSensitiveFiles } from "../src/sensitive-files.js";
6
8
  import { findSecrets } from "../src/secrets.js";
7
9
  import { checkAiExposure } from "../src/ai-exposure.js";
8
10
  import { printJsonReport, printReport } from "../src/report.js";
9
11
 
12
+ const __dirname = path.dirname(fileURLToPath(import.meta.url));
13
+ const pkg = JSON.parse(
14
+ await fs.readFile(path.join(__dirname, "..", "package.json"), "utf-8"),
15
+ );
16
+
10
17
  const program = new Command();
11
18
 
12
19
  program
13
20
  .name("shercheck")
14
21
  .description("A tool to check the integrity of your files")
15
- .version("1.0.0")
22
+ .version(pkg.version)
16
23
  .argument("[path]", "project directory to scan", ".")
17
24
  .option("--json", "output results as JSON instead of colored text")
18
- .option(
19
- "--fix",
20
- "auto-create/update AI-ignore files for unprotected sensitive files",
21
- )
22
25
  .option("--ci", "exit with code 1 if any findings are detected")
23
26
  .action((targetPath, options) => {
24
27
  const resolvedPath = path.resolve(targetPath);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "shercheck",
3
- "version": "0.1.0",
3
+ "version": "0.1.1",
4
4
  "description": "AI-aware security scanner โ€” finds exposed secrets and checks if your AI agent can read sensitive files",
5
5
  "type": "module",
6
6
  "bin": {