跳转到内容

noSecrets

Diagnostic Category: lint/nursery/noSecrets

Since: v1.9.0

Sources:

Disallow usage of sensitive data such as API keys and tokens.

This rule checks for high-entropy strings and matches common patterns for secrets, including AWS keys, Slack tokens, and private keys. It aims to help users identify immediate potential secret leaks in their codebase, especially for those who may not be aware of the risks associated with sensitive data exposure.

The following list contains the patterns we detect:

  • JSON Web Token (JWT): Tokens in the format of ey...
  • Base64-encoded JWT: Base64-encoded JWT tokens with various parameters (alg, aud, iss, etc.)
  • Slack Token: Tokens such as xox[baprs]-...
  • Slack Webhook URL: URLs like https://hooks.slack.com/services/...
  • GitHub Token: GitHub tokens with lengths between 35-40 characters
  • Twitter OAuth Token: Twitter OAuth tokens with lengths between 35-44 characters
  • Facebook OAuth Token: Facebook OAuth tokens with possible lengths up to 42 characters
  • Google OAuth Token: Google OAuth tokens in the format ya29...
  • AWS API Key: Keys that begin with AKIA followed by 16 alphanumeric characters
  • Passwords in URLs: Passwords included in URL credentials (protocol://user:pass@...)
  • Google Service Account: JSON structure with the service-account identifier
  • Twilio API Key: API keys starting with SK... followed by 32 characters
  • RSA Private Key: Key blocks that start with -----BEGIN RSA PRIVATE KEY-----
  • OpenSSH Private Key: Key blocks that start with -----BEGIN OPENSSH PRIVATE KEY-----
  • DSA Private Key: Key blocks that start with -----BEGIN DSA PRIVATE KEY-----
  • EC Private Key: Key blocks that start with -----BEGIN EC PRIVATE KEY-----
  • PGP Private Key Block: Key blocks that start with -----BEGIN PGP PRIVATE KEY BLOCK-----

In addition to detecting the above patterns, we also employ a string entropy checker to catch potential secrets based on their entropy (randomness). The entropy checker is configurable through the Options, allowing customization of thresholds for string entropy to fine-tune detection and minimize false positives.

While this rule helps with most common cases, it is not intended to handle all of them. Therefore, always review your code carefully and consider implementing additional security measures, such as automated secret scanning in your CI/CD and git pipeline.

Some recommended tools for more comprehensive secret detection include:

  • SonarQube: Clean Code scanning solution with a secret scanner (Community version).
  • Gitleaks: A mature secret scanning tool.
  • Trufflehog: A tool for finding secrets in git history.
  • Sensleak: A Rust-based solution for secret detection.
const secret = "AKIA1234567890EXAMPLE";
code-block.js:1:16 lint/nursery/noSecrets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Potential secret found.

> 1 │ const secret = “AKIA1234567890EXAMPLE”;
^^^^^^^^^^^^^^^^^^^^^^^
2 │

Type of secret detected: AWS API Key

Storing secrets in source code is a security risk. Consider the following steps:
1. Remove the secret from your code. If you’ve already committed it, consider removing the commit entirely from your git tree.
2. If needed, use environment variables or a secure secret management system to store sensitive data.
3. If this is a false positive, consider adding an inline disable comment, or tweak the entropy threshold. See options in our docs.
This rule only catches basic vulnerabilities. For more robust, proper solutions, check out our recommendations at: https://biomejs.dev/linter/rules/no-secrets/#recommendations

const nonSecret = "hello world";