nickdeis / eslint-plugin-no-secrets Goto Github PK
View Code? Open in Web Editor NEWAn eslint plugin to find strings that might be secrets/credentials
License: MIT License
An eslint plugin to find strings that might be secrets/credentials
License: MIT License
Hi,
I tried your plugin and it works great, at least for secrets in source code.
Is there a way to make it find secrets in comments?
Sample:
// const passwords = "admin123" <---- HERE I forget to remove this commented line
const password = ""
BTW, maybe related, we are using TypeScript.
Thanks
I would like to be able to exclude strings in some statements from consideration, no matter what entropy level they have:
import
, require
, className
, maybe various strings of CSS-in-JS frameworksFor example, the rule is triggered for this string:
const webpackFriendlyConsole = require('./config/webpack/webpackFriendlyConsole')
The entropy of './config/webpack/webpackFriendlyConsole' is 4.1, however it is an obvious false positive.
The corresponding options could look for example like this:
'no-secrets/no-secrets': [
'warn',
{
tolerance: 5,
additionalRegexes: {},
ignoreContent: [
/.*some high-entropy text that is not a secret: bla bla bla.*/,
],
ignoreImports: true,
ignoreCommonjsRequires: true,
ignoreCssClassNames: true,
ignoreVariableNames: [/^NOT_A_SECRET_.*$/, 'highEntropySample'],
},
],
Although some of the blacklisting can, of course, can be achieved by selectively disabling the rule for a line or file or even adding particular files to override
with this rule disabled, it would be awesome to have some sort of centralized control and additional customization, as described above.
In any case, thanks for the great plugin! ;)
Could you add a continuous integration in order to check easily the tests status?
E.g. TravisCI is reliable and free for Open Source.
once https://github.com/typescript-eslint/typescript-eslint/releases/tag/v3.0.0-alpha.23 merges, I'll be testing it myself, but I just thought I'd drop a friendly note that probably people will be inquiring here as to whether ESLint 7 is supported soon.
It may very well be already supported! There weren't a ton of breaking changes in ESLint 7 or anything. If so, it'd be nice to say that ESLint 7 is supported on the main README
Hey,
I don't want this plugin to detect strings with entropy less than 4.3 (because those are usually not secrets for my project). How can I get that done?
Could you upgrade dependencies?
btw. I checked require("eslint/lib/testers/rule-tester")
works for eslint@5 but doesn't for eslint@6
IMO Shannon entropy isn't a good measurement because a given string repeated 100 times has the same entropy as repeated only once.
Of course, repeating the same sequence doesn't increase much the amount of information but in some level increases.
IMO:
abcd
-> log_2 (4) which gives 2abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
(abcd
repeated 100 times) -> log_2 (4 + log_2 (100)) = 3.41I get the following error when I have this package and eslint-plugin-json
installed.
/dev/eslint-config-adjunct/package.json
1:1 error Unexpected token v
Downgrading to version 0.5.4
fixes the issue
Thank you for your work on this great plugin. I use it in https://github.com/dimitropoulos/eslint-config-intense
I'm updating dependencies on my config today and can't seem to find a changelog to see what changed between 0.3.4 and 0.6.8. Apologies if I just missed it somewhere.
Currently, if a given string contains many words delimited with a space, each word has a separate entropy calculated.
I want to be able to specify other delimiters as well e.g. _
, -
, @
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.