shercheck 0.1.0 โ 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +188 -0
- package/bin/cli.js +8 -5
- package/package.json +1 -1
package/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 NightWiing
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
package/README.md
ADDED
|
@@ -0,0 +1,188 @@
|
|
|
1
|
+
# ๐ shercheck
|
|
2
|
+
|
|
3
|
+
**AI-aware security scanner** โ finds exposed secrets in your codebase and checks whether your AI coding agent (Cursor, Copilot, Windsurf, Claude Code, etc.) can actually read your sensitive files.
|
|
4
|
+
|
|
5
|
+
Most secret scanners stop at "you have a `.env` file." shercheck goes one step further: it checks whether that file is actually **blocked from AI agents** via `.cursorignore`, `.aiexclude`, `.clineignore`, Claude Code's deny rules, and more โ and tells you exactly what's missing.
|
|
6
|
+
|
|
7
|
+
## Why
|
|
8
|
+
|
|
9
|
+
AI coding assistants can read almost any file in your project by default. If your `.env`, private keys, or credentials aren't explicitly excluded, your AI agent (and anything it shares context with) can see them. shercheck audits this blind spot in seconds.
|
|
10
|
+
|
|
11
|
+
## Features
|
|
12
|
+
|
|
13
|
+
- ๐ **Sensitive file detection** โ flags `.env` files, private keys (`.pem`, `.key`, `id_rsa`), cloud credentials (`.aws/credentials`, `.npmrc`), keystores, and more.
|
|
14
|
+
- ๐ **Secret scanning** โ greps file contents for real leaked credentials: AWS keys, GitHub tokens, Stripe keys, Supabase keys, Anthropic keys, SendGrid keys, private key blocks, JWTs, and generic hardcoded secrets.
|
|
15
|
+
- ๐ค **AI exposure check** โ cross-references every sensitive file against the ignore files of 9+ AI tools (Cursor, Windsurf, Cline, Gemini, Codeium, Copilot, Claude Code, and generic `.aiignore`) to see if it's actually protected.
|
|
16
|
+
- ๐ก๏ธ **Masked previews** โ secrets are shown masked (e.g. `AKIA********MNOP`) so reports are safe to share/paste.
|
|
17
|
+
- ๐ **Readable or machine output** โ pretty colored terminal report by default, or `--json` for scripting.
|
|
18
|
+
- ๐ฆ **CI-friendly** โ `--ci` flag exits with code `1` when exposed secrets are found, so you can fail a pipeline on real risk.
|
|
19
|
+
|
|
20
|
+
## Installation
|
|
21
|
+
|
|
22
|
+
Run it directly without installing anything (recommended):
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
npx shercheck
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
Or install globally:
|
|
29
|
+
|
|
30
|
+
```bash
|
|
31
|
+
npm install -g shercheck
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
Or add it as a dev dependency to run via npm scripts:
|
|
35
|
+
|
|
36
|
+
```bash
|
|
37
|
+
npm install --save-dev shercheck
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
## Usage
|
|
41
|
+
|
|
42
|
+
Scan the current directory:
|
|
43
|
+
|
|
44
|
+
```bash
|
|
45
|
+
npx shercheck
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
Scan a specific project path:
|
|
49
|
+
|
|
50
|
+
```bash
|
|
51
|
+
npx shercheck ./path/to/project
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
Output JSON (for scripting or piping into other tools):
|
|
55
|
+
|
|
56
|
+
```bash
|
|
57
|
+
npx shercheck --json
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
Fail CI when a sensitive file with no AI-ignore coverage is found:
|
|
61
|
+
|
|
62
|
+
```bash
|
|
63
|
+
npx shercheck --ci
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
### Options
|
|
67
|
+
|
|
68
|
+
| Flag | Description |
|
|
69
|
+
| --- | --- |
|
|
70
|
+
| `[path]` | Project directory to scan (defaults to `.`) |
|
|
71
|
+
| `--json` | Output results as JSON instead of a colored report |
|
|
72
|
+
| `--ci` | Exit with code `1` if any fully-exposed findings are detected |
|
|
73
|
+
| `-V, --version` | Print the version number |
|
|
74
|
+
| `-h, --help` | Print usage help |
|
|
75
|
+
|
|
76
|
+
## Example output
|
|
77
|
+
|
|
78
|
+
```
|
|
79
|
+
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
|
|
80
|
+
๐ SHERCHECK ยท AI-aware security scanner
|
|
81
|
+
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
|
|
82
|
+
|
|
83
|
+
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ SUMMARY โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
|
|
84
|
+
|
|
85
|
+
Sensitive files found 1
|
|
86
|
+
Secrets in content 1
|
|
87
|
+
Files exposed to AI agents 1
|
|
88
|
+
|
|
89
|
+
HIGH 1 file(s)
|
|
90
|
+
|
|
91
|
+
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ SECRETS DETECTED โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
|
|
92
|
+
|
|
93
|
+
HIGH .env
|
|
94
|
+
Line 1 ยท AWS Access Key
|
|
95
|
+
Preview: SECRET_KEY=AKIA********MNOP
|
|
96
|
+
|
|
97
|
+
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ AI EXPOSURE โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
|
|
98
|
+
|
|
99
|
+
HIGH .env
|
|
100
|
+
Status fully exposed has secret
|
|
101
|
+
|
|
102
|
+
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ RECOMMENDATIONS โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
|
|
103
|
+
|
|
104
|
+
โ No AI ignore files found in this project
|
|
105
|
+
|
|
106
|
+
โ Create a .aiignore or .cursorignore and add:
|
|
107
|
+
.env
|
|
108
|
+
|
|
109
|
+
โ Rotate these credentials immediately:
|
|
110
|
+
.env
|
|
111
|
+
|
|
112
|
+
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
|
|
113
|
+
โ Issues found โ review recommendations above
|
|
114
|
+
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
|
|
115
|
+
```
|
|
116
|
+
|
|
117
|
+
## What it checks
|
|
118
|
+
|
|
119
|
+
### Sensitive files
|
|
120
|
+
|
|
121
|
+
shercheck flags files matching common sensitive-file patterns, including:
|
|
122
|
+
|
|
123
|
+
- `.env`, `.env.*` (any environment file)
|
|
124
|
+
- `*.pem`, `*.key`, `id_rsa*`, `id_ed25519*` (private keys)
|
|
125
|
+
- `*.p12`, `*.pfx`, `*.keystore` (certificates/keystores)
|
|
126
|
+
- `credentials.json`, `secrets.*`
|
|
127
|
+
- `.npmrc`
|
|
128
|
+
- `.aws/credentials`, `.aws/config`
|
|
129
|
+
- Supabase's `supabase/.temp/**` directory
|
|
130
|
+
|
|
131
|
+
### Secret patterns
|
|
132
|
+
|
|
133
|
+
File contents (for common source/config file types under 500 KB, skipping binaries) are scanned for:
|
|
134
|
+
|
|
135
|
+
- AWS Access Keys
|
|
136
|
+
- GitHub Tokens
|
|
137
|
+
- Stripe Live/Test Keys
|
|
138
|
+
- Supabase Keys
|
|
139
|
+
- Anthropic API Keys
|
|
140
|
+
- SendGrid Keys
|
|
141
|
+
- Private key blocks (`-----BEGIN ... PRIVATE KEY-----`)
|
|
142
|
+
- Generic JWTs
|
|
143
|
+
- Hardcoded `SECRET` / `API_KEY` / `PRIVATE_KEY` / `AUTH_TOKEN` assignments
|
|
144
|
+
|
|
145
|
+
Matches inside comments are skipped, and all detected secrets are masked in the report.
|
|
146
|
+
|
|
147
|
+
### AI exposure
|
|
148
|
+
|
|
149
|
+
For every sensitive file found, shercheck checks whether it's covered by any of these AI-tool ignore mechanisms:
|
|
150
|
+
|
|
151
|
+
| Tool | Ignore file |
|
|
152
|
+
| --- | --- |
|
|
153
|
+
| Cursor | `.cursorignore`, `.cursorindexingignore` |
|
|
154
|
+
| Windsurf | `.windsurfignore` |
|
|
155
|
+
| Cline | `.clineignore` |
|
|
156
|
+
| Gemini | `.aiexclude`, `.geminiignore` |
|
|
157
|
+
| Codeium | `.codeiumignore` |
|
|
158
|
+
| Copilot | `.copilotignore` |
|
|
159
|
+
| Claude Code | `.claude/settings.json` (`permissions.deny` rules) |
|
|
160
|
+
| Generic | `.aiignore` |
|
|
161
|
+
|
|
162
|
+
A file is marked **fully exposed** if none of the detected AI tools' ignore rules cover it โ meaning an AI agent working in that project could read it.
|
|
163
|
+
|
|
164
|
+
## Using in CI
|
|
165
|
+
|
|
166
|
+
Add shercheck to your pipeline to catch exposed secrets before they ship:
|
|
167
|
+
|
|
168
|
+
```yaml
|
|
169
|
+
# .github/workflows/security.yml
|
|
170
|
+
name: Security check
|
|
171
|
+
on: [push, pull_request]
|
|
172
|
+
jobs:
|
|
173
|
+
shercheck:
|
|
174
|
+
runs-on: ubuntu-latest
|
|
175
|
+
steps:
|
|
176
|
+
- uses: actions/checkout@v4
|
|
177
|
+
- run: npx shercheck --ci
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
The command exits with code `1` if any sensitive file is fully exposed to an AI agent, failing the build.
|
|
181
|
+
|
|
182
|
+
## Requirements
|
|
183
|
+
|
|
184
|
+
- Node.js >= 18
|
|
185
|
+
|
|
186
|
+
## License
|
|
187
|
+
|
|
188
|
+
MIT
|
package/bin/cli.js
CHANGED
|
@@ -1,24 +1,27 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
import { Command } from "commander";
|
|
3
3
|
import path from "node:path";
|
|
4
|
+
import fs from "node:fs/promises";
|
|
5
|
+
import { fileURLToPath } from "node:url";
|
|
4
6
|
import { scan } from "../src/scanner.js";
|
|
5
7
|
import { findSensitiveFiles } from "../src/sensitive-files.js";
|
|
6
8
|
import { findSecrets } from "../src/secrets.js";
|
|
7
9
|
import { checkAiExposure } from "../src/ai-exposure.js";
|
|
8
10
|
import { printJsonReport, printReport } from "../src/report.js";
|
|
9
11
|
|
|
12
|
+
const __dirname = path.dirname(fileURLToPath(import.meta.url));
|
|
13
|
+
const pkg = JSON.parse(
|
|
14
|
+
await fs.readFile(path.join(__dirname, "..", "package.json"), "utf-8"),
|
|
15
|
+
);
|
|
16
|
+
|
|
10
17
|
const program = new Command();
|
|
11
18
|
|
|
12
19
|
program
|
|
13
20
|
.name("shercheck")
|
|
14
21
|
.description("A tool to check the integrity of your files")
|
|
15
|
-
.version(
|
|
22
|
+
.version(pkg.version)
|
|
16
23
|
.argument("[path]", "project directory to scan", ".")
|
|
17
24
|
.option("--json", "output results as JSON instead of colored text")
|
|
18
|
-
.option(
|
|
19
|
-
"--fix",
|
|
20
|
-
"auto-create/update AI-ignore files for unprotected sensitive files",
|
|
21
|
-
)
|
|
22
25
|
.option("--ci", "exit with code 1 if any findings are detected")
|
|
23
26
|
.action((targetPath, options) => {
|
|
24
27
|
const resolvedPath = path.resolve(targetPath);
|