noSecrets
Ce contenu n’est pas encore disponible dans votre langue.
Diagnostic Category: lint/nursery/noSecrets
Since: v1.9.0
Sources:
- Inspired from:
no-secrets/no-secrets
Disallow usage of sensitive data such as API keys and tokens.
This rule checks for high-entropy strings and matches common patterns for secrets, including AWS keys, Slack tokens, and private keys. It aims to help users identify immediate potential secret leaks in their codebase, especially for those who may not be aware of the risks associated with sensitive data exposure.
Detected Secrets
Section titled Detected SecretsThe following list contains the patterns we detect:
- JSON Web Token (JWT): Tokens in the format of
ey...
- Base64-encoded JWT: Base64-encoded JWT tokens with various parameters (alg, aud, iss, etc.)
- Slack Token: Tokens such as
xox[baprs]-...
- Slack Webhook URL: URLs like
https://hooks.slack.com/services/...
- GitHub Token: GitHub tokens with lengths between 35-40 characters
- Twitter OAuth Token: Twitter OAuth tokens with lengths between 35-44 characters
- Facebook OAuth Token: Facebook OAuth tokens with possible lengths up to 42 characters
- Google OAuth Token: Google OAuth tokens in the format
ya29...
- AWS API Key: Keys that begin with
AKIA
followed by 16 alphanumeric characters - Passwords in URLs: Passwords included in URL credentials (
protocol://user:pass@...
) - Google Service Account: JSON structure with the service-account identifier
- Twilio API Key: API keys starting with
SK...
followed by 32 characters - RSA Private Key: Key blocks that start with
-----BEGIN RSA PRIVATE KEY-----
- OpenSSH Private Key: Key blocks that start with
-----BEGIN OPENSSH PRIVATE KEY-----
- DSA Private Key: Key blocks that start with
-----BEGIN DSA PRIVATE KEY-----
- EC Private Key: Key blocks that start with
-----BEGIN EC PRIVATE KEY-----
- PGP Private Key Block: Key blocks that start with
-----BEGIN PGP PRIVATE KEY BLOCK-----
Entropy Check
Section titled Entropy CheckIn addition to detecting the above patterns, we also employ a string entropy checker to catch potential secrets based on their entropy (randomness). The entropy checker is configurable through the Options
, allowing customization of thresholds for string entropy to fine-tune detection and minimize false positives.
Disclaimer
Section titled DisclaimerWhile this rule helps with most common cases, it is not intended to handle all of them. Therefore, always review your code carefully and consider implementing additional security measures, such as automated secret scanning in your CI/CD and git pipeline.
Recommendations
Section titled RecommendationsSome recommended tools for more comprehensive secret detection include:
- SonarQube: Clean Code scanning solution with a secret scanner (Community version).
- Gitleaks: A mature secret scanning tool.
- Trufflehog: A tool for finding secrets in git history.
- Sensleak: A Rust-based solution for secret detection.
Examples
Section titled ExamplesInvalid
Section titled Invalidcode-block.js:1:16 lint/nursery/noSecrets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Potential secret found.
> 1 │ const secret = “AKIA1234567890EXAMPLE”;
│ ^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Type of secret detected: AWS API Key
ℹ Storing secrets in source code is a security risk. Consider the following steps:
1. Remove the secret from your code. If you’ve already committed it, consider removing the commit entirely from your git tree.
2. If needed, use environment variables or a secure secret management system to store sensitive data.
3. If this is a false positive, consider adding an inline disable comment, or tweak the entropy threshold. See options in our docs.
This rule only catches basic vulnerabilities. For more robust, proper solutions, check out our recommendations at: https://biomejs.dev/linter/rules/no-secrets/#recommendations