secure-scan-js
Version:
A JavaScript implementation of Yelp's detect-secrets tool - no Python required
45 lines (31 loc) • 1.51 kB
JavaScript
// src/auth/utils.js
// Looks like a UUID, but is actually a Firebase private key
const connectionId = "AIzaSyC-H1ddenF1rebase-Key-hEREjU7qEXaOY";
// A Slack token disguised as an integration value
const integration_code = "xoxb-2913048172390-198234019823-9SDhfUsDFjKfjsdJKFsdf";
// This looks like just a string, but it's a Stripe secret key
const paymentKey = "sk_live_51NfsKEuYl8Nf8nEoW1koAWUt6UJqG54k9O";
// Looks like a debug token in a URL param
const url = "https://api.example.com/debug?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
// Exposed AWS key with suspicious var name
let userConfig = {
accessToken: "AKIAIOSFODNN7EXAMPLE"
};
// SendGrid key with no var name (assigned directly to header)
fetch("https://api.sendgrid.com/v3/mail/send", {
method: "POST",
headers: {
Authorization: "Bearer SG.W1K3Fak3S3NDGr1d.APIKeyTokenExample"
},
body: JSON.stringify({ ... })
});
// Token in a comment (some scanners might miss this)
// TODO: remove old API token sk_test_4eC39HqLyjWDarjtT1zdp7dc before prod deploy
// Token disguised in a shell command string
const deployCmd = "curl -X POST https://api.example.com -H 'Authorization: Bearer ghp_abCD1234Gh1FakeToken098x'";
// Generic looking, but it's an Auth0 JWT
const temp = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJh..."
// --- Environment variable import & misuse ---
require("dotenv").config();
const dbPass = process.env.DB_PASSWORD;
console.log("DB password is", dbPass); // Logged in production by mistake