superencryptx 0.1.0__py3-none-any.whl → 0.1.1__py3-none-any.whl

superencrypt/cli.py

@@ -6,7 +6,7 @@ from pathlib import Path
 from typing import List
 
 from .crypto import Crypto
-from .scanner import scan_repo, iter_repo_files
+from .scanner import scan_repo, scan_path, iter_repo_files
 from .transform import encrypt_file, decrypt_file
 
 
@@ -26,8 +26,15 @@ def _write_key_file(path: Path, key: bytes) -> None:
 
 
 def cmd_scan(args: argparse.Namespace) -> int:
-    root = Path(args.root).resolve()
-    findings = scan_repo(root)
+    if args.file:
+        path = Path(args.file).resolve()
+        if not path.exists():
+            raise SystemExit(f"File not found: {path}")
+        findings = scan_path(path)
+        root = path.parent
+    else:
+        root = Path(args.root).resolve()
+        findings = scan_repo(root)
     if not findings:
         print("No secrets found.")
         return 0
@@ -50,10 +57,18 @@ def cmd_encrypt(args: argparse.Namespace) -> int:
     crypto = Crypto(key)
 
     changed_files: List[Path] = []
-    for path in iter_repo_files(root):
+    if args.file:
+        path = Path(args.file).resolve()
+        if not path.exists():
+            raise SystemExit(f"File not found: {path}")
         result = encrypt_file(path, crypto)
         if result.changed:
             changed_files.append(result.path)
+    else:
+        for path in iter_repo_files(root):
+            result = encrypt_file(path, crypto)
+            if result.changed:
+                changed_files.append(result.path)
     if changed_files:
         print(f"Encrypted {len(changed_files)} files.")
     else:
@@ -67,10 +82,18 @@ def cmd_decrypt(args: argparse.Namespace) -> int:
     crypto = Crypto(key)
 
     changed_files: List[Path] = []
-    for path in iter_repo_files(root):
+    if args.file:
+        path = Path(args.file).resolve()
+        if not path.exists():
+            raise SystemExit(f"File not found: {path}")
         result = decrypt_file(path, crypto)
         if result.changed:
             changed_files.append(result.path)
+    else:
+        for path in iter_repo_files(root):
+            result = decrypt_file(path, crypto)
+            if result.changed:
+                changed_files.append(result.path)
     if changed_files:
         print(f"Decrypted {len(changed_files)} files.")
     else:
@@ -80,19 +103,21 @@ def cmd_decrypt(args: argparse.Namespace) -> int:
 
 def build_parser() -> argparse.ArgumentParser:
     parser = argparse.ArgumentParser(prog="superencrypt")
-    parser.add_argument("--root", default=".", help="Root directory to scan")
+    parent = argparse.ArgumentParser(add_help=False)
+    parent.add_argument("--root", default=".", help="Root directory to scan")
+    parent.add_argument("--file", help="Scan/encrypt/decrypt a single file")
 
     subparsers = parser.add_subparsers(dest="command", required=True)
 
-    scan_parser = subparsers.add_parser("scan", help="Scan repo for secrets")
+    scan_parser = subparsers.add_parser("scan", help="Scan repo for secrets", parents=[parent])
     scan_parser.set_defaults(func=cmd_scan)
 
-    encrypt_parser = subparsers.add_parser("encrypt", help="Encrypt secrets in-place")
+    encrypt_parser = subparsers.add_parser("encrypt", help="Encrypt secrets in-place", parents=[parent])
     encrypt_parser.add_argument("--key", help="Base64 key string")
     encrypt_parser.add_argument("--key-file", help="Path to key file")
     encrypt_parser.set_defaults(func=cmd_encrypt)
 
-    decrypt_parser = subparsers.add_parser("decrypt", help="Decrypt secrets in-place")
+    decrypt_parser = subparsers.add_parser("decrypt", help="Decrypt secrets in-place", parents=[parent])
     decrypt_parser.add_argument("--key", help="Base64 key string")
     decrypt_parser.add_argument("--key-file", help="Path to key file")
     decrypt_parser.set_defaults(func=cmd_decrypt)

superencrypt/scanner.py

@@ -17,10 +17,16 @@ SKIP_DIRS = {
     ".venv",
     "venv",
     "__pycache__",
+    "vendor",
+    "docs",
+    "doc",
 }
 
 SKIP_FILES = {
     ".superencrypt.key",
+    "README.md",
+    "mvnw",
+    "mvnw.cmd",
 }
 
 ENV_FILE_PATTERNS = (
@@ -30,9 +36,32 @@ ENV_FILE_PATTERNS = (
 )
 
 SENSITIVE_KEYWORDS = re.compile(
-    r"(?i)(password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|db[_-]?user|database[_-]?user)"
+    r"(?i)(password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret)"
 )
 
+NON_SECRET_HINTS = re.compile(
+    r"(?i)\b(password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret)\b"
+)
+
+URL_PATTERN = re.compile(r"(?i)^[a-z][a-z0-9+.-]*://")
+ENV_REF_PATTERN = re.compile(r"^\$(\{[^}]+\}|[A-Za-z_][A-Za-z0-9_]*)$")
+BOOL_PATTERN = re.compile(r"(?i)^(true|false|yes|no|on|off)$")
+PORT_PATTERN = re.compile(r"^\d{2,5}$")
+LOCAL_HOSTS = {"localhost", "127.0.0.1", "0.0.0.0"}
+FILE_LIKE_PATTERN = re.compile(r"(?i)\.(zip|tar\.gz|tgz|jar|war|css|js|map|png|jpg|jpeg|gif|svg)$")
+HOSTNAME_PATTERN = re.compile(r"(?i)^[a-z0-9][a-z0-9-]*(?:\.[a-z0-9-]+)+$")
+PLACEHOLDER_PATTERN = re.compile(r"(?i)^\*{2,}.*\*{2,}$")
+TEMPLATE_PATTERN = re.compile(r"(\$\{[^}]+\}|\$\([^)]+\)|\$[A-Za-z_][A-Za-z0-9_]*|\{\{[^}]+\}\}|<%[^%]+%>)")
+REFERENCE_TOKEN_PATTERN = re.compile(
+    r"(?i)\b(var|local|data|module|path|terraform|each|count)\.[A-Za-z0-9_.-]+\b"
+)
+ARN_PATTERN = re.compile(r"^arn:aws:[a-z0-9-]+:[a-z0-9-]*:\d{0,12}:[^\\s]+$", re.IGNORECASE)
+TERRAFORM_REF_PATTERN = re.compile(
+    r"(?i)^(?:var|local|data|module|path|terraform|each|count)\.[A-Za-z0-9_.-]+$"
+)
+TERRAFORM_RESOURCE_PATTERN = re.compile(r"(?i)^[a-z][a-z0-9_-]*\.[A-Za-z0-9_.-]+$")
+TERRAFORM_FUNC_PATTERN = re.compile(r"^[A-Za-z_][A-Za-z0-9_]*\s*\(.*\)$")
+
 
 @dataclass
 class Finding:
@@ -60,10 +89,22 @@ SECRET_PATTERNS: List[SecretPattern] = [
         regex=re.compile(r"(?i)aws_secret_access_key\s*[:=]\s*([A-Za-z0-9/+=]{40})"),
         group=1,
     ),
+    SecretPattern(
+        name="docker_env_or_arg",
+        regex=re.compile(
+            r"(?i)\b(?:ENV|ARG)\s+"
+            r"(?:[A-Z0-9_]*?(?:password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret)[A-Z0-9_]*)"
+            r"(?:\s*=\s*|\s+)"
+            r"(\"[^\"]+\"|'[^']+'|[^\s#]+)"
+        ),
+        group=1,
+    ),
     SecretPattern(
         name="generic_assignment",
-        regex=re.compile(r"(?i)(password|passwd|secret|token|api[_-]?key)\s*[:=]\s*([\w\-./+=:@]+)"),
-        group=2,
+        regex=re.compile(
+            r"(?i)(?:password|passwd|secret|token|api[_-]?key|access[_-]?key|private[_-]?key|client[_-]?secret)\s*[:=]\s*(\"[^\"]+\"|'[^']+'|[^\s#]+)"
+        ),
+        group=1,
     ),
 ]
 
@@ -79,13 +120,90 @@ def _is_binary(data: bytes) -> bool:
     return b"\x00" in data
 
 
+def _normalize_value(value: str) -> str:
+    raw = value.strip()
+    if raw.startswith(('"', "'")) and raw.endswith(('"', "'")) and len(raw) >= 2:
+        return raw[1:-1]
+    return raw
+
+
+def _is_probable_secret(value: str, context: str) -> bool:
+    raw = _normalize_value(value)
+    if not raw:
+        return False
+    lowered = raw.lower()
+    if TEMPLATE_PATTERN.search(raw):
+        return False
+    if PLACEHOLDER_PATTERN.match(raw):
+        return False
+    if lowered in LOCAL_HOSTS:
+        return False
+    if BOOL_PATTERN.fullmatch(raw):
+        return False
+    if PORT_PATTERN.fullmatch(raw):
+        return False
+    if URL_PATTERN.match(raw):
+        return False
+    if ENV_REF_PATTERN.match(raw):
+        return False
+    if REFERENCE_TOKEN_PATTERN.search(raw):
+        return False
+    if HOSTNAME_PATTERN.match(raw):
+        return False
+    if ARN_PATTERN.match(raw):
+        return False
+    if raw.startswith(("/", "./", "../")):
+        return False
+    if FILE_LIKE_PATTERN.search(raw):
+        return False
+    has_secret_hint = NON_SECRET_HINTS.search(context) is not None
+    if has_secret_hint:
+        if len(raw) < 6:
+            return False
+    else:
+        if len(raw) < 12:
+            return False
+        if re.fullmatch(r"[a-z]+", raw):
+            return False
+        if re.fullmatch(r"[A-Za-z0-9._-]+", raw) and len(raw) < 16:
+            return False
+        classes = sum(
+            bool(re.search(p, raw))
+            for p in (r"[a-z]", r"[A-Z]", r"\d", r"[^A-Za-z0-9]")
+        )
+        if classes < 2:
+            return False
+    return True
+
+
+def _is_terraform_reference(value: str) -> bool:
+    raw = _normalize_value(value)
+    if not raw:
+        return False
+    if TERRAFORM_FUNC_PATTERN.match(raw):
+        return True
+    if TERRAFORM_REF_PATTERN.match(raw):
+        return True
+    if TERRAFORM_RESOURCE_PATTERN.match(raw):
+        return True
+    return False
+
+
 def iter_repo_files(root: Path) -> Iterator[Path]:
     for dirpath, dirnames, filenames in os.walk(root):
         dirnames[:] = [d for d in dirnames if d not in SKIP_DIRS]
         for filename in filenames:
             if filename in SKIP_FILES:
                 continue
-            yield Path(dirpath) / filename
+            path = Path(dirpath) / filename
+            parts = set(path.parts)
+            if parts.intersection({"test", "tests", "__tests__", "spec"}):
+                continue
+            if ("gradle" in parts and "wrapper" in parts and filename == "gradle-wrapper.properties"):
+                continue
+            if (".mvn" in parts and "wrapper" in parts and filename == "maven-wrapper.properties"):
+                continue
+            yield path
 
 
 def scan_env_file(path: Path) -> List[Finding]:
@@ -102,7 +220,7 @@ def scan_env_file(path: Path) -> List[Finding]:
         key, value = stripped.split("=", 1)
         key = key.strip()
         value = value.strip().strip('"').strip("'")
-        if SENSITIVE_KEYWORDS.search(key):
+        if SENSITIVE_KEYWORDS.search(key) and _is_probable_secret(value, key):
             findings.append(Finding(path=path, line_number=idx, key=key, value=value))
     return findings
 
@@ -119,6 +237,10 @@ def scan_file_for_patterns(path: Path) -> List[Finding]:
             if not match:
                 continue
             value = match.group(pattern.group)
+            if path.suffix in {".tf", ".tfvars"} and _is_terraform_reference(value):
+                continue
+            if not _is_probable_secret(value, match.group(0)):
+                continue
             findings.append(Finding(path=path, line_number=idx, key=pattern.name, value=value))
     return findings
 
@@ -131,3 +253,9 @@ def scan_repo(root: Path) -> List[Finding]:
             continue
         findings.extend(scan_file_for_patterns(path))
     return findings
+
+
+def scan_path(path: Path) -> List[Finding]:
+    if _is_env_file(path):
+        return scan_env_file(path)
+    return scan_file_for_patterns(path)

superencrypt/transform.py

@@ -6,7 +6,14 @@ from pathlib import Path
 from typing import Iterable, List
 
 from .crypto import Crypto, is_encrypted_value, wrap_encrypted, unwrap_encrypted
-from .scanner import SECRET_PATTERNS, SENSITIVE_KEYWORDS, _is_env_file, _is_binary
+from .scanner import (
+    SECRET_PATTERNS,
+    SENSITIVE_KEYWORDS,
+    _is_env_file,
+    _is_binary,
+    _is_probable_secret,
+    _is_terraform_reference,
+)
 
 
 @dataclass
@@ -37,6 +44,8 @@ def _encrypt_env_lines(text: str, crypto: Crypto) -> str:
             raw_value = raw_value[1:-1]
         if not SENSITIVE_KEYWORDS.search(key):
             continue
+        if not _is_probable_secret(raw_value, key):
+            continue
         if is_encrypted_value(raw_value):
             continue
         token = crypto.encrypt(raw_value).token
@@ -78,7 +87,7 @@ def _decrypt_env_lines(text: str, crypto: Crypto) -> str:
     return "\n".join(lines) + ("\n" if text.endswith("\n") else "")
 
 
-def _encrypt_generic(text: str, crypto: Crypto) -> str:
+def _encrypt_generic(text: str, crypto: Crypto, *, path: Path | None = None) -> str:
     changed = False
 
     def replacer(match: re.Match) -> str:
@@ -87,10 +96,23 @@ def _encrypt_generic(text: str, crypto: Crypto) -> str:
             inner = pattern.regex.search(match.group(0))
             if inner:
                 value = inner.group(pattern.group)
-                if is_encrypted_value(value):
+                raw_value = value
+                quote = ""
+                if raw_value.startswith(('"', "'")) and raw_value.endswith(('"', "'")):
+                    quote = raw_value[0]
+                    raw_value = raw_value[1:-1]
+                if is_encrypted_value(raw_value):
+                    return match.group(0)
+                if path is not None and path.suffix in {".tf", ".tfvars"}:
+                    if _is_terraform_reference(raw_value):
+                        return match.group(0)
+                if not _is_probable_secret(raw_value, match.group(0)):
                     return match.group(0)
-                token = crypto.encrypt(value).token
-                replaced = match.group(0).replace(value, wrap_encrypted(token), 1)
+                token = crypto.encrypt(raw_value).token
+                new_value = wrap_encrypted(token)
+                if quote:
+                    new_value = f"{quote}{new_value}{quote}"
+                replaced = match.group(0).replace(value, new_value, 1)
                 changed = True
                 return replaced
         return match.group(0)
@@ -121,7 +143,7 @@ def encrypt_file(path: Path, crypto: Crypto) -> TransformResult:
     if _is_env_file(path):
         new_text = _encrypt_env_lines(text, crypto)
     else:
-        new_text = _encrypt_generic(text, crypto)
+        new_text = _encrypt_generic(text, crypto, path=path)
     changed = new_text != text
     if changed:
         path.write_text(new_text, encoding="utf-8")

{superencryptx-0.1.0.dist-info → superencryptx-0.1.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: superencryptx
-Version: 0.1.0
+Version: 0.1.1
 Summary: Scan a repo for secrets and encrypt/decrypt them in-place.
 Author: Superencrypt Contributors
 License: MIT License
@@ -46,8 +46,9 @@ Requires-Dist: cryptography>=41.0.0
 Dynamic: license-file
 
 # superencrypt
+https://pypi.org/project/superencryptx/0.1.0/
 
-CLI to scan a repo for secrets (including env files), encrypt them in-place, and decrypt them later using a key.
+CLI to scan a repo for secrets (including env files, Dockerfiles, compose files, and YAML/TOML/JSON/INI-style configs), encrypt them in-place, and decrypt them later using a key.
 
 ## Why
 
@@ -92,6 +93,13 @@ superencrypt decrypt --key-file .superencrypt.key
 
 # Scan only (no changes)
 superencrypt scan
+
+# Scan a single file
+superencrypt scan --file path/to/file
+
+# Encrypt/decrypt a single file
+superencrypt encrypt --file path/to/file
+superencrypt decrypt --file path/to/file --key-file .superencrypt.key
 ```
 
 ## Pipeline example
@@ -108,6 +116,7 @@ superencrypt decrypt --key "$SUPERENCRYPT_KEY"
  - Use `scan` first to review matches.
 
 ## Development
+https://pypi.org/project/superencryptx/0.1.0/
 
 ```bash
 python -m venv .venv

superencryptx-0.1.1.dist-info/RECORD

@@ -0,0 +1,12 @@
+superencrypt/__init__.py,sha256=tXbRXsO0NE_UV1kIHiZTTQQH0fj0U2KoxxNusu_gzrM,48
+superencrypt/__main__.py,sha256=PSQ4rpL0dG6f-qH4N7H-gD9igQkdHzH4yVZDcW8lfZo,80
+superencrypt/cli.py,sha256=X3tABfkio8zjQrk9_ZtjP3BcAUAb-45RBpH8l4O9dmQ,4307
+superencrypt/crypto.py,sha256=eFS0TJwrSaMjHvTVmffZmbKBLb6jbpWXFCKCTGNmnU8,1274
+superencrypt/scanner.py,sha256=4zqklANJB1GC-jCURyjBWcSfwU4y7mI2IlwIQxWh_Do,7944
+superencrypt/transform.py,sha256=S9IPh1ABJHARdCLds-sJbW0uaNmjugfLBH52YVfb_uo,5641
+superencryptx-0.1.1.dist-info/licenses/LICENSE,sha256=igcdaUQXkh4o1sJMU-uvtT-yp4jPqKuQDs4ado9qL9E,1082
+superencryptx-0.1.1.dist-info/METADATA,sha256=P191bdxyDWEBZbf-tbg0ngf9gTLgSZ0XzpeKTwyW8KA,3998
+superencryptx-0.1.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+superencryptx-0.1.1.dist-info/entry_points.txt,sha256=IzMqSqTogHYApIGSkg9S4wB_OysvTo7fwKcJb6INDLs,55
+superencryptx-0.1.1.dist-info/top_level.txt,sha256=w2hHm19sEIAkucCExR6tZ_JBIUaGbv3LkhZc66kjsCI,13
+superencryptx-0.1.1.dist-info/RECORD,,

superencryptx-0.1.0.dist-info/RECORD

@@ -1,12 +0,0 @@
-superencrypt/__init__.py,sha256=tXbRXsO0NE_UV1kIHiZTTQQH0fj0U2KoxxNusu_gzrM,48
-superencrypt/__main__.py,sha256=PSQ4rpL0dG6f-qH4N7H-gD9igQkdHzH4yVZDcW8lfZo,80
-superencrypt/cli.py,sha256=CbrCvNQaSwk20MgJ_xUHBFbI65XFVI7_pPbj9i1Orio,3311
-superencrypt/crypto.py,sha256=eFS0TJwrSaMjHvTVmffZmbKBLb6jbpWXFCKCTGNmnU8,1274
-superencrypt/scanner.py,sha256=wbmoXWStPRbiNoXdYgV065EzWa42yM2FA3jUW27tI5Y,3449
-superencrypt/transform.py,sha256=YHIiXZI7gLnQHvivska32ebLJDr5Fn_tjaVj5hCRsys,4789
-superencryptx-0.1.0.dist-info/licenses/LICENSE,sha256=igcdaUQXkh4o1sJMU-uvtT-yp4jPqKuQDs4ado9qL9E,1082
-superencryptx-0.1.0.dist-info/METADATA,sha256=dW2RW-94YzHYPFxkzSdgNjhrpoMuJK9Rbt5wamEU9uA,3636
-superencryptx-0.1.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-superencryptx-0.1.0.dist-info/entry_points.txt,sha256=IzMqSqTogHYApIGSkg9S4wB_OysvTo7fwKcJb6INDLs,55
-superencryptx-0.1.0.dist-info/top_level.txt,sha256=w2hHm19sEIAkucCExR6tZ_JBIUaGbv3LkhZc66kjsCI,13
-superencryptx-0.1.0.dist-info/RECORD,,