Secretlint

Secretlint is that Pluggable linting tool to prevent committing credential.

Features

• Scanner: Found credentials in a project and report these
• Project Friendly: Easy to set up your project and integrate CI services
• Pre-Commit Hook: Prevent committing credential files
• Pluggable: Allow creating custom rule and flexible configuration
• Documentation: Describe the reason that rule detect it as secret

Quick Demo

You can view secretlint linting result on https://secretlint.github.io/.

Quick Start

You can try to use Secretlint on your project at one command.
If you already have installed Docker:

docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint "**/*"

If you already have installed Node.js:

npx @secretlint/quick-start "**/*"

After running,
If you got empty result and exit status is ``, your project is secure.
Otherwise, you got some error report, your project includes credential as raw data.

You want to get continuous security, Please see following installation guide and setup pre-commit hook and CI.

Installation

Using Docker

Prerequisites: Require Docker
Use our Docker container to get an environment with Node.js and secretlint and running as fast as you can download them.
You can check all files under the current directory with secretlint by following command:

docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint "**/*"

secretlint/secretlint docker container work without configuration by design.
Built-in rules:

• @secretlint/secretlint-rule-preset-recommend

For more details, please see secretlint’s Dockerfile.

Using Node.js

Prerequisites: Require Node.js 14+.
Secretlint is written by JavaScript.
You can install Secretlint using npm:

npm install secretlint @secretlint/secretlint-rule-preset-recommend --save-dev

You should then set up a configuration file:

npx secretlint --init

Finally, you can run Secretlint on any file or directory like this:

npx secretlint "**/*"

📝 Secretlint support glob pattern and glob pattern should be wrapped by a double quote.
It is also possible to install Secretlint globally using npm install --global. But, We do not recommended it, some rules may be broken in globally.

Usage

secretlint --help show Usage.

  Secretlint CLI that scan secret/credential data.

  Usage
    $ secretlint [file|glob*]

  Note
    supported glob syntax is based on microglob
    https://github.com/micromatch/micromatch#matching-features

  Options
    --init             setup config file. Create .secretlintrc.json file from your package.json
    --format           [String] formatter name. Default: "stylish". Available Formatter: checkstyle, compact, jslint-xml, json, junit, pretty-error, stylish, table, tap, unix
    --output           [path:String] output file path that is written of reported result.
    --no-color         disable ANSI-color of output.
    --no-terminalLink  disable terminalLink of output.
    --maskSecrets      enable masking of secret values. replace actual secrets with "***".
    --secretlintrc     [path:String] path to .secretlintrc config file. Default: .secretlintrc.*
    --secretlintignore [path:String] path to .secretlintignore file. Default: .secretlintignore

  Options for Developer
    --profile          Enable performance profile.
    --secretlintrcJSON [String] a JSON string of .secretlintrc. use JSON string instead of rc file.

  Experimental Options
    --locale            [String] locale tag for translating message. Default: en

  Examples
    $ secretlint ./README.md
    # glob pattern should be wrapped with double quote
    $ secretlint "**/*"
    $ secretlint "source/**/*.ini"

Configuration

Secretlint has a configuration file .secretlintrc.{json,yml,js}.

• Document: Configuring Secretlint

After running secretlint --init, you’ll have a .secretlintrc.json file in your directory.
In it, you’ll see some rules configured like this:

{
  "rules": [
    {
      "id": "@secretlint/secretlint-rule-preset-recommend"
    }
  ]
}

The id property is the name of secretlint rule package.
Secretlint does not have built-in rule.
You want to add some rule and You should install the package and add the rule to .secretlintrc file.
Each rule has same configuration pattern:

• options: Option definition for the rule. For more details, see each rule documentation
• disabled: If disabled is true, disable the rule
• allowMessageIds: allowMessageIds is an array of message id that you want to suppress error report
  • message id is defined in each rule and please see the rule documentation

Example: options

For example, @secretlint/secretlint-rule-example has allows in options.
This allows option define a list of RegExp-like String that you want to ignore.

{
  "rules": [
    {
      "id": "@secretlint/secretlint-rule-example",
      "options": {
        "allows": [
          "/dummy_secret/i"
        ]
      }
    }
  ]
}

When you use a preset like @secretlint/secretlint-rule-preset-recommend, you need to put the option in rules.
For example, an option for @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-aws

{
  "rules": [
    {
      "id": "@secretlint/secretlint-rule-preset-recommend",
      "rules": [
        {
          "id": "@secretlint/secretlint-rule-aws",
            "options": {
              "allows": [
	            // it will be ignored
                "xxxx-xxxx-xxxx-xxxx-xxxx"
              ]
            }
        }
      ]
    }
  ]
}

Example: allowMessageIds

For example, you have got following error report by run secretlint:

$ secretlint "**/*"

SECRET.txt
  1:8  error  [EXAMPLE_MESSAGE] found secret: SECRET  @secretlint/secretlint-rule-example

✖ 1 problem (1 error, 0 warnings)

This error’s message id is EXAMPLE_MESSAGE in @secretlint/secretlint-rule-example.
If you want to ignore this error, please use allowMessageIds.

{
  "rules": [
    {
      "id": "@secretlint/secretlint-rule-example",
      "allowMessageIds": ["EXAMPLE_MESSAGE"]
    }
  ]
}

When you use a preset like @secretlint/secretlint-rule-preset-recommend, you need to put the option in rules.
For example, If you want to ignore “AWSAccountID” and “AWSAccessKeyID” of “@secretlint/secretlint-rule-aws”, you can write following.

{
  "rules": [
    {
      "id": "@secretlint/secretlint-rule-preset-recommend",
      "rules": [
        {
          "id": "@secretlint/secretlint-rule-aws",
          "allowMessageIds": ["AWSAccountID", "AWSAccessKeyID"]
        }
      ]
    }
  ]
}

Ignoring by comment

@secretlint/secretlint-rule-filter-comments supports ignoring comment like secretlint-disable.

// secretlint-disable

THIS IS SECRET, BUT IT WILL BE IGNORED

// secretlint-enable

For more details, please see Configuring Secretlint.

Rule Packages

Secretlint rules has been implemented as separated modules.

• @secretlint/secretlint-rule-npm
• @secretlint/secretlint-rule-aws
• @secretlint/secretlint-rule-gcp
• @secretlint/secretlint-rule-github
• @secretlint/secretlint-rule-privatekey
• @secretlint/secretlint-rule-basicauth
• @secretlint/secretlint-rule-slack
• @secretlint/secretlint-rule-sendgrid
• @secretlint/secretlint-rule-shopify
• @secretlint/secretlint-rule-secp256k1-privatekey
• @secretlint/secretlint-rule-no-k8s-kind-secret
• @secretlint/secretlint-rule-pattern
• @secretlint/secretlint-rule-no-homedir
• @secretlint/secretlint-rule-no-dotenv

Also, Secretlint provide rule preset that includes recommened rule set.

• @secretlint/secretlint-rule-preset-recommend
  • Recommended rule set

Custom Rules

You can create own secretlint rule.
You want to get a secretlint rule for suitable your project and you can create it!
A secretlint rule is a just npm package.
If you want to know creating secretlint rule, please see docs/secretlint-rule.md.

Integrations

Pre-commit Hook per project

You can use Secretlint with some pre-commit tool.
This can prevent to commit secret data by linting with Secretlint.
Applying secretlint to the project and improve security on team developing.

Husky + lint-staged

Use Case: If you want to introduce secretlint to Node.js project, this combination is useful.
Install Husky and lint-staged:

npx husky-init && npm install lint-staged --save-dev

Add hooks to .husky/pre-commit:

npx husky add .husky/pre-commit "npx --no-install lint-staged"

Edit package.json:

{
  // add "lint-staged" field
  "lint-staged": {
    "*": [
      "secretlint"
    ]
  }
}

This means that check each staged file by Secretlint before commit.

pre-commit

Use Case: You have a project that is developing with Docker. Easy to integrate to secretlint.
Install pre-commit

# macOS. see also https://pre-commit.com/#install
brew install pre-commit

Create .pre-commit-config.yaml:

-   repo: local
    hooks:
    -   id: secretlint
        name: secretlint
        language: docker_image
        entry: secretlint/secretlint:latest secretlint

Example setup repository:

• https://github.com/azu/secretlint-pre-commit-example

Bash Script

Alternately you can save this script as .git/hooks/pre-commit and give it execute permission(chmod +x .git/hooks/pre-commit):

#!/bin/sh
FILES=$(git diff --cached --name-only --diff-filter=ACMR | sed 's| |\ |g')
[ -z "$FILES" ] && exit 0

# Secretlint all selected files
echo "$FILES" | xargs ./node_modules/.bin/secretlint
# If you using docker
# echo "$FILES" | xargs docker run -v `pwd`:`pwd` -w `pwd` --rm secretlint/secretlint secretlint
RET=$?
if [ $RET -eq 0 ] ;then
    exit 0
else
    exit 1
fi

Pre-commit Hook globally

Use Case: If you want to check any project by secretlint, you can use global git hooks.
Git 2.9+ supports core.hooksPath.
It allow to integrate secretlint globally.
We have created example git hooks project using secretlint + Docker.

• secretlint/git-hooks
  • Requirement: Docker

You can set up by following steps:

# clone this repository
git clone https://github.com/secretlint/git-hooks git-hooks
cd git-hooks
# integrate secretlint to git hook globally
git config --global core.hooksPath $(pwd)/hooks

After setup…