A JavaScript implementation of Yelp's detect-secrets tool, with no Python dependency required.
This package provides the same functionality as Yelp's detect-secrets but implemented in JavaScript using WebAssembly technology, eliminating the need for Python installation.
- No Python Required: Uses WebAssembly to run the scanning code directly in Node.js
- Easy Installation: Simple npm installation with no external dependencies
- Fast Scanning: Efficiently scans files and directories for secrets
- Customizable: Configure exclusions, scan specific directories, and more
- False Positive Detection: Identifies likely false positives to reduce noise
- Missed Secret Detection: Optional detection of patterns that might be missed by the main scanner
- Compatible API: Similar interface to Yelp's detect-secrets for easy migration
- Memory Efficient: Automatically skips binary files and handles large codebases
npm install -g secure-scan-js# Scan the current directory
secure-scan-js
# Scan a specific directory
secure-scan-js --directory ./src
# Exclude specific files or directories
secure-scan-js --exclude-files "*.test.js,*.spec.js" --exclude-dirs "node_modules,dist"
# Check for potentially missed secrets
secure-scan-js --check-missed
# Save results to a file
secure-scan-js --output results.json
# Enable file size limits to prevent memory issues with very large files
secure-scan-js --limit-file-size
# Set a custom maximum file size (in KB) when limits are enabled
secure-scan-js --limit-file-size --max-file-size 2048const detectSecrets = require("secure-scan-js");
async function scanMyProject() {
// Initialize the WebAssembly module (required before scanning)
await detectSecrets.initialize();
// Scan a directory
const results = await detectSecrets.scanDirectory("./src", {
excludeFiles: ["*.test.js", "*.spec.js"],
excludeDirs: ["node_modules", "dist"],
checkMissed: true,
limitFileSize: false, // Set to true to enable file size limits
maxFileSize: 2 * 1024 * 1024, // Custom max file size in bytes (2MB) when limits are enabled
});
console.log(`Found ${results.secrets.length} secrets`);
// Scan a specific file
const fileResults = await detectSecrets.scanFile("./config.js");
// Scan a string
const contentResults = await detectSecrets.scanContent(
'const apiKey = "1234567890abcdef";',
"example.js"
);
}
scanMyProject().catch(console.error);| Option | CLI Flag | Description |
|---|---|---|
directory |
-d, --directory <path> |
Directory to scan (default: current directory) |
root |
-r, --root |
Scan from project root |
excludeFiles |
-e, --exclude-files <patterns> |
File patterns to exclude (comma-separated) |
excludeDirs |
-x, --exclude-dirs <patterns> |
Directory patterns to exclude (comma-separated) |
checkMissed |
-m, --check-missed |
Check for potentially missed secrets |
verbose |
-v, --verbose |
Include additional information |
output |
-o, --output <file> |
Output file path |
limitFileSize |
-l, --limit-file-size |
Enable file size limits to prevent memory issues |
maxFileSize |
--max-file-size <size> |
Maximum file size to scan in KB (default: no limit) |
This package implements the same secret detection patterns as Yelp's detect-secrets but uses WebAssembly technology to eliminate the Python dependency. The scanning is performed using a combination of regex patterns to detect common secret formats.
The first time you run the tool, it will download and initialize the WebAssembly environment. This may take a few seconds, but subsequent runs will be faster.
By default, the tool will scan all files regardless of size, but you can enable memory protection features:
- Binary File Detection: Automatically skips binary files like images, executables, and compressed files
-
Optional Size Limits: Use
--limit-file-sizeto enable file size limits -
Custom Size Limits: Set your own maximum file size with
--max-file-size - Automatic Truncation: Very large text files can be truncated to prevent memory issues
The tool can detect a wide range of secrets, including:
- API Keys (Google, Stripe, etc.)
- AWS Access Keys and Secret Keys
- Private Keys (RSA, DSA, etc.)
- Database Connection Strings
- JWT Tokens
- GitHub Tokens
- OAuth Tokens
- Generic Passwords and Secrets
You can run basic tests with:
cd wasm-version
npm run build
node test/test.jsThis package is inspired by and compatible with Yelp's detect-secrets but offers several advantages:
- No Python Dependency: Works without requiring Python installation
- Easier Installation: Simple npm installation process
- JavaScript Native: Fully integrated with Node.js ecosystem
- Similar Detection Patterns: Implements the same secret detection patterns
- Memory Efficient: Better handling of large repositories and binary files
- Removed example files containing secrets to avoid GitHub secret scanning
- Updated test files to use safe example values
- Fixed repository URLs
- Removed default file size limits to scan all files by default
- Added comprehensive secret type documentation
- Fixed minor bugs and improved error handling
- Complete rewrite using WebAssembly technology
- Removed Python dependency requirement
- Enhanced pattern matching for better secret detection
- Improved performance and cross-platform compatibility
- Added memory-efficient handling of large repositories
MIT