DEV Community

azu
azu

Posted on

Secretlint prevent committing your {npm,AWS,GCP,slack,ssh} credential

Secretlint 1.0.0 is Released🎉

Secretlint is pluggable linting tool to prevent committing credential like SSH private key, GCP Access token, AWS Access Token, Slack Token, and npm auth token.

Its demo that prevent committing slack access token.

What is Secretlint?

Secretlint is that Pluggable linting tool to prevent committing credential.
Secretlint is similar with ESLint or textlint.

💡 Secretlint has primitive feature that scan your files and report credentials in your files.

You can use Secretlint in one-line command.

If you already have installed Docker:

docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint "**/*"

If you already have installed Node.js:

npx @secretlint/quick-start "**/*"

Secretlint report error If your files inclues credentials like SSH private key, GCP Access token, AWS Access Token, Slack Token, and npm auth token.
Because it is secret data!

For more details, Please see Installtion guide

We have provided Secretlint as Docker Image and Node.js CLI.
In near future, We also a single binary edition for Secretlint.

If your files includes credentials, Secretlint report it.

Secretlint error report

Why Secretlint?

In the world, Already exists credential scanner tools like awslabs/git-secrets, truffleHog, detect-secrets, and more.

Secretlint has a Philosophy.

  • Reduce false-positive of linting
  • Integration to developing workflow
  • Empower Users to Contribute

Reduce false-positive of linting

In our experience, false-positive is biggest issue of litting tools.
(Secretlint creator is same with textlint)
So, We are working that reduce false-positive in secretlint rules.

Secretlint adopt Opt-in instead of Opt-out.
It means that You can select a rule and introduce the rule by own.
However, Select everything is hard and We also provide recommened rule set.

Currently, Secretlint has implemented following rules.

Integration to developing workflow

Secretlint is Project Friendly tool.
It is easy to integrate your CI service like Circle CI, and GitHub ACtions.
If the Pull Request includes credentilas, CI is failed.

For more details, see following document.

Also, you can integrate Secretlint with Git pre-commit hook.
This integration prevent you to commit credential into your project.

GitHub can not remove sensitive data from a repository without contacting GitHub Support.
So, pre-commit hook is best way to prevent committing credentials

For more details, see following document.

Empower Users to Contribute

Secretlint adopt pluggable archtecture.
So, you can write own secretlint rule and use it.

Next development guide describe how to create secretelint rule.

This concept also effect secretlint core implementation.
@secretlint/core has not built-in rules.
Instead of it, We created @secretlint/secretlint-rule-preset-recommend as separated packages.

Next Secretlint

Secretlint is first stage yet.
We will improve secretlint for getting continuous security.

If you want to contribute, please see label:good first issue and help wanted.

Top comments (0)