@glideco/secrets-scan
v0.1.0
Published
Denylist + entropy secret scanner for Glide. Catches JWT, AWS/Stripe/GitHub/Slack/GCP/Anthropic/OpenAI keys, OAuth codes, PEM blocks, EVM/Solana private keys, and bearer tokens before they leak to logs or audit streams.
Maintainers
darshanbathijaReadme
@glideco/secrets-scan
Denylist + entropy secret scanner. Catches JWT, AWS/Stripe/GitHub PAT/Slack/GCP/Anthropic/OpenAI keys, OAuth codes, PEM blocks, EVM/Solana private keys, and bearer tokens before they leak to logs, audit streams, or other observability surfaces.
Used by:
- The Glide Trust Console scanner pipeline (every
ReasoningStepEvent.excerptruns throughscan()before persistence). - The Cathedral CI gate (
scripts/scan-secrets.mjs— runs on every PR). - Self-hosters via the
@glideco/secrets-scannpm package.
Install
npm install @glideco/secrets-scanUsage
import { scan } from '@glideco/secrets-scan';
const result = scan('AWS_KEY=AKIAIOSFODNN7EXAMPLE token=ghp_xxx');
console.log(result.redactions);
// [
// { kind: 'aws-access-key', match: 'AKIAIOSFODNN7EXAMPLE', start: 8, end: 28, ... },
// { kind: 'github-pat', match: 'ghp_xxx', start: 35, end: 42, ... },
// ]
console.log(result.redacted);
// 'AWS_KEY=[REDACTED:aws-access-key] token=[REDACTED:github-pat]'Two-pass design
- Denylist pass — known-format secrets matched against curated regexes (JWT, PEM, AWS, Stripe, GitHub, Slack, GCP, Anthropic, OpenAI, OAuth code, EVM/Solana priv key, bearer token).
- Entropy pass — high-entropy opaque blobs (≥ 4.5 bits/char × ≥ 30 chars) matched only on tokens not already in a denylist range. Disable via
disableEntropy: trueif your input is naturally high-entropy (e.g. base64-encoded payloads).
Concurrent-safe
Each scan() call clones every denylist regex so concurrent invocations cannot race on the shared lastIndex state of a stateful global RegExp. Trust Console event ingestion runs in parallel under load; sharing lastIndex would make the second concurrent scan's first-match index non-deterministic.
License
MIT — see LICENSE.
Source
This package lives in the Glide OSS Cathedral monorepo.