@samiyev/guardian
Version:
Research-backed code quality guardian for AI-assisted development. Detects hardcodes, secrets, circular deps, framework leaks, entity exposure, and 9 architecture violations. Enforces Clean Architecture/DDD principles. Works with GitHub Copilot, Cursor, W
171 lines (157 loc) • 5.96 kB
JavaScript
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.SecretViolation = void 0;
const ValueObject_1 = require("./ValueObject");
const Messages_1 = require("../constants/Messages");
const constants_1 = require("../../shared/constants");
const SecretExamples_1 = require("../constants/SecretExamples");
/**
* Represents a secret exposure violation in the codebase
*
* Secret violations occur when sensitive data like API keys, tokens, passwords,
* or credentials are hardcoded in the source code instead of being stored
* in secure environment variables or secret management systems.
*
* All secret violations are marked as CRITICAL severity because they represent
* serious security risks that could lead to unauthorized access, data breaches,
* or service compromise.
*
* @example
* ```typescript
* const violation = SecretViolation.create(
* 'src/config/aws.ts',
* 10,
* 15,
* 'AWS Access Key',
* 'AKIA1234567890ABCDEF'
* )
*
* console.log(violation.getMessage())
* // "Hardcoded AWS Access Key detected"
*
* console.log(violation.getSeverity())
* // "critical"
* ```
*/
class SecretViolation extends ValueObject_1.ValueObject {
constructor(props) {
super(props);
}
static create(file, line, column, secretType, matchedPattern) {
return new SecretViolation({
file,
line,
column,
secretType,
matchedPattern,
});
}
get file() {
return this.props.file;
}
get line() {
return this.props.line;
}
get column() {
return this.props.column;
}
get secretType() {
return this.props.secretType;
}
get matchedPattern() {
return this.props.matchedPattern;
}
getMessage() {
return `Hardcoded ${this.props.secretType} detected`;
}
getSuggestion() {
const suggestions = [
Messages_1.SECRET_VIOLATION_MESSAGES.USE_ENV_VARIABLES,
Messages_1.SECRET_VIOLATION_MESSAGES.USE_SECRET_MANAGER,
Messages_1.SECRET_VIOLATION_MESSAGES.NEVER_COMMIT_SECRETS,
Messages_1.SECRET_VIOLATION_MESSAGES.ROTATE_IF_EXPOSED,
Messages_1.SECRET_VIOLATION_MESSAGES.USE_GITIGNORE,
];
return suggestions.join("\n");
}
getExampleFix() {
return this.getExampleFixForSecretType(this.props.secretType);
}
getSeverity() {
return constants_1.SEVERITY_LEVELS.CRITICAL;
}
getExampleFixForSecretType(secretType) {
const lowerType = secretType.toLowerCase();
if (lowerType.includes(SecretExamples_1.SECRET_KEYWORDS.AWS)) {
return `
// ❌ Bad: Hardcoded AWS credentials
const AWS_ACCESS_KEY_ID = "${SecretExamples_1.SECRET_EXAMPLE_VALUES.AWS_ACCESS_KEY_ID}"
const AWS_SECRET_ACCESS_KEY = "${SecretExamples_1.SECRET_EXAMPLE_VALUES.AWS_SECRET_ACCESS_KEY}"
// ✅ Good: Use environment variables
const AWS_ACCESS_KEY_ID = process.env.AWS_ACCESS_KEY_ID
const AWS_SECRET_ACCESS_KEY = process.env.AWS_SECRET_ACCESS_KEY
// ✅ Good: Use credentials provider (in infrastructure layer)
// Load credentials from environment or credentials file`;
}
if (lowerType.includes(SecretExamples_1.SECRET_KEYWORDS.GITHUB)) {
return `
// ❌ Bad: Hardcoded GitHub token
const GITHUB_TOKEN = "${SecretExamples_1.SECRET_EXAMPLE_VALUES.GITHUB_TOKEN}"
// ✅ Good: Use environment variables
const GITHUB_TOKEN = process.env.GITHUB_TOKEN
// ✅ Good: GitHub Apps with temporary tokens
// Use GitHub Apps for automated workflows instead of personal access tokens`;
}
if (lowerType.includes(SecretExamples_1.SECRET_KEYWORDS.NPM)) {
return `
// ❌ Bad: Hardcoded NPM token in code
const NPM_TOKEN = "${SecretExamples_1.SECRET_EXAMPLE_VALUES.NPM_TOKEN}"
// ✅ Good: Use .npmrc file (add to .gitignore)
// .npmrc
//registry.npmjs.org/:_authToken=\${NPM_TOKEN}
// ✅ Good: Use environment variable
const NPM_TOKEN = process.env.NPM_TOKEN`;
}
if (lowerType.includes(SecretExamples_1.SECRET_KEYWORDS.SSH) ||
lowerType.includes(SecretExamples_1.SECRET_KEYWORDS.PRIVATE_KEY)) {
return `
// ❌ Bad: Hardcoded SSH private key
const privateKey = \`-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...\`
// ✅ Good: Load from secure file (not in repository)
import fs from "fs"
const privateKey = fs.readFileSync(process.env.SSH_KEY_PATH, "${SecretExamples_1.FILE_ENCODING.UTF8}")
// ✅ Good: Use SSH agent
// Configure SSH agent to handle keys securely`;
}
if (lowerType.includes(SecretExamples_1.SECRET_KEYWORDS.SLACK)) {
return `
// ❌ Bad: Hardcoded Slack token
const SLACK_TOKEN = "${SecretExamples_1.SECRET_EXAMPLE_VALUES.SLACK_TOKEN}"
// ✅ Good: Use environment variables
const SLACK_TOKEN = process.env.SLACK_BOT_TOKEN
// ✅ Good: Use OAuth flow for user tokens
// Implement OAuth 2.0 flow instead of hardcoding tokens`;
}
if (lowerType.includes(SecretExamples_1.SECRET_KEYWORDS.API_KEY) ||
lowerType.includes(SecretExamples_1.SECRET_KEYWORDS.APIKEY)) {
return `
// ❌ Bad: Hardcoded API key
const API_KEY = "${SecretExamples_1.SECRET_EXAMPLE_VALUES.API_KEY}"
// ✅ Good: Use environment variables
const API_KEY = process.env.API_KEY
// ✅ Good: Use secret management service (in infrastructure layer)
// AWS Secrets Manager, HashiCorp Vault, Azure Key Vault
// Implement secret retrieval in infrastructure and inject via DI`;
}
return `
// ❌ Bad: Hardcoded secret
const SECRET = "${SecretExamples_1.SECRET_EXAMPLE_VALUES.HARDCODED_SECRET}"
// ✅ Good: Use environment variables
const SECRET = process.env.SECRET_KEY
// ✅ Good: Use secret management
// AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, etc.`;
}
}
exports.SecretViolation = SecretViolation;
//# sourceMappingURL=SecretViolation.js.map