Skip to content

noSecrets

Diagnostic Category: lint/nursery/noSecrets

Since: v1.9.0

Sources:

Disallow usage of sensitive data such as API keys and tokens.

This rule checks for high-entropy strings and matches common patterns for secrets, such as AWS keys, Slack tokens, and private keys.

While this rule is helpful, it’s not infallible. Always review your code carefully and consider implementing additional security measures like automated secret scanning in your CI/CD and git pipeline, such as GitGuardian or GitHub protections.

const secret = "AKIA1234567890EXAMPLE";
code-block.js:1:16 lint/nursery/noSecrets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Potential secret found.

> 1 │ const secret = “AKIA1234567890EXAMPLE”;
^^^^^^^^^^^^^^^^^^^^^^^
2 │

Type of secret detected: AWS API Key

Storing secrets in source code is a security risk. Consider the following steps:
1. Remove the secret from your code. If you’ve already committed it, consider removing the commit entirely from your git tree.
2. If needed, use environment variables or a secure secret management system to store sensitive data.
3. If this is a false positive, consider adding an inline disable comment.

const nonSecret = "hello world";