Pluggable linting tool to prevent committing credential.
Secretlint is that Pluggable linting tool to prevent committing credential.
You can try to use Secretlint on your project at one command.
If you already have installed Docker:
docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint "**/*"
If you already have installed Node.js:
npx @secretlint/quick-start "**/*"
After running, If you got empty result and exit status is
0, your project is secure. Otherwise, you got some error report, your project includes credential as raw data.
You want to get continuous security, Please see following installation guide and setup pre-commit hook and CI.
Prerequisites: Require Docker
Use our Docker container to get an environment with Node.js and secretlint and running as fast as you can download them.
You can check all files under the current directory with secretlint by following command:
docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint "**/*"
secretlint/secretlintdocker container work without configuration by design.
Built-in rules:
For more details, please see secretlint's Dockerfile.
Prerequisites: Require Node.js 10+.
Secretlint is written by JavaScript. You can install Secretlint using npm:
npm install secretlint @secretlint/secretlint-rule-preset-recommend --save-dev
You should then set up a configuration file:
npx secretlint --init
Finally, you can run Secretlint on any file or directory like this:
npx secretlint "**/*"
:memo: Secretlint support glob pattern and glob pattern should be wrapped by a double quote.
It is also possible to install Secretlint globally using
npm install --global. But, We do not recommended it, some rules may be broken in globally.
secretlint --helpshow Usage.
Secretlint CLI that scan secret/credential data.Usage $ secretlint [file|glob*]
Note supported glob syntax is based on microglob https://github.com/micromatch/micromatch#matching-features
Options --init setup config file. Create .secretlintrc.json file from your package.json --format [String] formatter name. Default: "stylish". Available Formatter: checkstyle, compact, jslint-xml, json, junit, pretty-error, stylish, table, tap, unix --output [path:String] output file path that is written of reported result. --no-color disable ANSI-color of output. --no-terminalLink disable terminalLink of output. --secretlintrc [path:String] path to .secretlintrc config file. Default: .secretlintrc.* --secretlintignore [path:String] path to .secretlintignore file. Default: .secretlintignore
Options for Developer --profile Enable performance profile. --secretlintrcJSON [String] a JSON string of .secretlintrc. use JSON string instead of rc file.
Experimental Options --locale [String] locale tag for translating message. Default: en
Examples $ secretlint ./README.md # glob pattern should be wrapped with double quote $ secretlint "*/" $ secretlint "source/*/.ini"
Secretlint has a configuration file
.secretlintrc.{json,yml,js}.
After running
secretlint --init, you'll have a
.secretlintrc.jsonfile in your directory.
In it, you'll see some rules configured like this:
{ "rules": [ { "id": "@secretlint/secretlint-rule-preset-recommend" } ] }
The
idproperty is the name of secretlint rule package.
Secretlint does not have built-in rule. You want to add some rule and You should install the package and add the rule to
.secretlintrcfile.
Each rule has same configuration pattern:
options: Option definition for the rule. For more details, see each rule documentation
disabled: If
disabledis
true, disable the rule
allowMessageIds:
allowMessageIdsis an array of message id that you want to suppress error report
options
For example,
@secretlint/secretlint-rule-examplehas
allowsin
options. This
allowsoption define text pattern that you want to ignore.
{ "rules": [ { "id": "@secretlint/secretlint-rule-example", "options": { "allows": [ "/dummy_secret/i" ] } } ] }
allowMessageIds
For example, you have got following error report by run
secretlint:
$ secretlint "**/*"SECRET.txt 1:8 error [EXAMPLE_MESSAGE] found secret: SECRET @secretlint/secretlint-rule-example
✖ 1 problem (1 error, 0 warnings)
This error's message id is
EXAMPLE_MESSAGEin
@secretlint/secretlint-rule-example.
If you want to ignore this error, please use
allowMessageIds.
{ "rules": [ { "id": "@secretlint/secretlint-rule-example", "allowMessageIds": ["EXAMPLE_MESSAGE"] } ] }
Secretlint rules has been implemented as separated modules.
Also, Secretlint provide rule preset that includes recommened rule set.
You can create own secretlint rule.
You want to get a secretlint rule for suitable your project and you can create it! A secretlint rule is a just npm package.
If you want to know creating secretlint rule, please see docs/secretlint-rule.md.
You can use Secretlint with some pre-commit tool. This can prevent to commit secret data by linting with Secretlint.
Applying secretlint to the project and improve security on team developing.
Use Case: If you want to introduce secretlint to Node.js project, this combination is useful.
Install Husky and lint-staged:
npm install husky lint-staged --save-dev
Edit
package.json:
{ // ... "husky": { "hooks": { "pre-commit": "lint-staged" } }, "lint-staged": { "*": [ "secretlint" ] } }
This means that check each staged file by Secretlint before commit.
Use Case: You have a project that is developing with Docker. Easy to integrate to secretlint.
Install pre-commit
# macOS. see also https://pre-commit.com/#install brew install pre-commit
Create
.pre-commit-config.yaml:
- repo: local hooks: - id: secretlint name: secretlint language: docker_image entry: secretlint/secretlint:latest secretlint
Example setup repository:
Alternately you can save this script as
.git/hooks/pre-commitand give it execute permission(
chmod +x .git/hooks/pre-commit):
#!/bin/sh FILES=$(git diff --cached --name-only --diff-filter=ACMR | sed 's| |\\ |g') [ -z "$FILES" ] && exit 0Secretlint all selected files
echo "$FILES" | xargs ./node_modules/.bin/secretlint
If you using docker
echo "$FILES" | xargs docker run -v
pwd
:pwd
-wpwd
--rm secretlint/secretlint secretlintRET=$? if [ $RET -eq 0 ] ;then exit 0 else exit 1 fi
Use Case: If you want to check any project by secretlint, you can use global git hooks.
Git 2.9+ supports
core.hooksPath. It allow to integrate secretlint globally.
We have created example git hooks project using secretlint + Docker.
You can set up by following steps:
```shell script
git clone https://github.com/secretlint/git-hooks git-hooks cd git-hooks
git config --global core.hooksPath $(pwd)/hooks ```
After setup of
core.hooksPath, secretlint check any file before you commit it.
For more details, see secretlint/git-hooks project.
Node.js version also can be used for global git hook. If you interesting in it, please see @azu/git-hooks.
If you already set secretlint Using Node.js, you can run secretlint with your configuration on GitHub Actions.
Put
.github/workflows/secretlint.ymlin your repository.
name: Secretlint on: [push, pull_request] env: CI: true jobs: test: name: "Secretlint" runs-on: ubuntu-18.04 strategy: matrix: node-version: [12] steps: - name: checkout uses: actions/[email protected] - name: setup Node ${{ matrix.node-version }} uses: actions/[email protected] with: node-version: ${{ matrix.node-version }} - name: Install run: npm install - name: Lint with Secretlint run: npx secretlint "**/*"
This configuration also integrate Pull Request review comment via actions/setup-node.
Secretlint project follow Semantic Versioning without secretlint-rule-preset-canary. However, secretlint is not different with most semver project.
Secretlint adopt opt-in approach.
In our experience, linting tools that report various errors by default is difficult to use. Opt-in approach help to introduce Secretlint increasing.
It will help to reduce false-positive by configuration.
We think a rule as a documentation. So, Each rule should have reasonable documentation.
We need to describe why this file is error. A rule that has not documentation, It is just a opinionated.
Describe the reason of error and then it will lead to reduce false-positive error.
Also, Secretlint CLI support hyperlink in Terminal. It means that you can jump to rule documentation from lint error message directly.
Example on iTerm 2: Cmd + Click error's messageId and open AWSSecretAccessKey on your browser.
If you want to know support terminal, please see Hyperlinks in Terminal Emulators.
Also, Welcome to Contribution about secretlint documentation!
Of course, secretlint also support Docker.
See Releases page.
Pull requests and stars are always welcome.
For bugs and feature requests, please create an issue.
See also, CONTRIBUTING.md and CODEOFCONDUCT.md
MIT © azu