noSecrets

Diagnostic Category: lint/nursery/noSecrets

JavaScript (and super languages)

Since: v1.9.0

Caution

This rule is part of the nursery group.

Sources:

• Inspired from: no-secrets/no-secrets

Disallow usage of sensitive data such as API keys and tokens.

This rule checks for high-entropy strings and matches common patterns for secrets, such as AWS keys, Slack tokens, and private keys.

While this rule is helpful, it’s not infallible. Always review your code carefully and consider implementing additional security measures like automated secret scanning in your CI/CD and git pipeline, such as GitGuardian or GitHub protections.

Examples

Section titled Examples

Invalid

Section titled Invalid

const secret = "AKIA1234567890EXAMPLE";

code-block.js:1:16 lint/nursery/noSecrets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ⚠ Potential secret found.
  
  > 1 │ const secret = “AKIA1234567890EXAMPLE”;
      │                ^^^^^^^^^^^^^^^^^^^^^^^
    2 │ 
  
  ℹ Type of secret detected: AWS API Key
  
  ℹ Storing secrets in source code is a security risk. Consider the following steps:
    1. Remove the secret from your code. If you’ve already committed it, consider removing the commit entirely from your git tree.
    2. If needed, use environment variables or a secure secret management system to store sensitive data.
    3. If this is a false positive, consider adding an inline disable comment.
  

Valid

Section titled Valid

const nonSecret = "hello world";

Related links

Section titled Related links

• Disable a rule
• Configure the rule fix
• Rule options