fixyoursecret

v0.4.3

Published

a month ago

CLI tool to detect leaked secrets, frontend exposure, and generate safe fixes.

Downloads

0High
0Medium
0Low

ssanidhya0407

security cli secrets lint devsecops sast

FixYourSecret

An ESLint-style CLI that finds leaked credentials, flags frontend exposure, suggests fixes, and helps rotate keys safely.

What Problem This Solves

Developers accidentally commit API keys, tokens, or private keys. That leads to abuse, unexpected costs, and incident response fire drills.

FixYourSecret helps teams catch these mistakes early and fix them with clear next steps.

Why This Is Stronger Now

Expanded provider detector coverage significantly.
Added benchmark-driven quality gates (npm run benchmark) so quality is measured every release.
Added CI threshold enforcement for recall/precision.
Added Verification v2 provider-safe checks for higher-confidence findings.
Added weekly 500-repo regression quality gate.

Detector Coverage

FixYourSecret currently includes detector coverage for:

OpenAI
Google
AWS Access Key IDs
Stripe Secret Keys
Slack Tokens
GitHub Tokens
GitLab Tokens
Twilio API Keys
SendGrid API Keys
Mailgun API Keys
Anthropic API Keys
Cohere API Keys
Hugging Face Tokens
Telegram Bot Tokens
npm Tokens
Private Key Blocks
Generic High-Entropy Tokens

What You Get

Fast secret scanning with file/line/snippet output
Frontend exposure risk highlighting
Optional safe verification mode (--verify safe)
First-class history scanning (history)
Better false-positive controls (hints + suppressions + defaults)
Baseline support for gradual rollout
SARIF output for CI/security platforms
Template-based fix generation (fix)
Guided key rotation (rotate)

Install

npm install
npm test
npm link

You can run either command name (compatibility included):

fixyoursecret --help
secretlint --help

Quick Start

fixyoursecret init
fixyoursecret scan --verify safe
fixyoursecret history 30
fixyoursecret fix
fixyoursecret rotate openai --dry-run
fixyoursecret hook install

Quality and Benchmarks

Run quality checks locally:

npm run quality

Run benchmark only:

npm run benchmark

Run multi-repo tuning report:

npm run tune:multi

Run large-scale corpus tuning (parallel clone + scan):

npm run tune:large

Generate and run 500-repo corpus:

npm run corpus:generate
npm run tune:500

Quick large-scale pass:

npm run tune:large:quick

Weekly regression check sequence (same as CI):

npm run tune:500:quick
npm run regression:check

CI quality gate thresholds (defaults):

Recall >= 0.95
Precision >= 0.95

These can be tuned via env vars:

BENCH_MIN_RECALL
BENCH_MIN_PRECISION

Tuning workflow docs:

./docs/tuning/process.md
Large corpus list: ./fixtures/tuning/repos.large.json

Command Cheat Sheet

| Command | Purpose | Example | |---|---|---| | fixyoursecret init | Create default config and baseline files | fixyoursecret init --force | | fixyoursecret scan | Scan current working tree | fixyoursecret scan --verify safe | | fixyoursecret history <n> | Scan files touched in last n commits | fixyoursecret history 50 --verify safe | | fixyoursecret ci | CI-focused SARIF scan | fixyoursecret ci --output-file fixyoursecret.sarif | | fixyoursecret fix | Generate backend proxy + frontend patch helper | fixyoursecret fix --output fixyoursecret-output | | fixyoursecret rotate <provider> | Rotate and update env safely | fixyoursecret rotate openai --dry-run | | fixyoursecret hook install | Install pre-commit secret scan hook | fixyoursecret hook install |

Scan Options

fixyoursecret scan [options]

--format text|json|sarif
--output-file <path>
--fail-on low|medium|high
--config <path>
--verify none|safe
--verify-strict
--staged
--tracked
--history <n>
--baseline <path>
--update-baseline
--no-baseline

Verification Mode (Optional)

--verify safe performs provider-safe local structure checks for supported detectors (no external API calls), including tighter checks for OpenAI, GitHub, Slack, and Stripe.

Use --verify-strict to drop findings that fail verification.

Config (`.fixyoursecretrc.json`)

{
  "ignorePaths": ["node_modules/**", ".git/**", ".cache/**", "dist/**", "build/**", ".next/**", "coverage/**", "vendor/**", "tmp/**"],
  "allowedExtensions": [".js", ".ts", ".jsx", ".tsx", ".env", ".swift"],
  "maxFileSizeKB": 256,
  "entropyThreshold": 3.8,
  "failOn": "high",
  "verifyMode": "none",
  "ignoreDetectors": [],
  "ignoreValueHints": ["example", "dummy", "fake", "sample", "replace_in_runtime_only"],
  "suppressions": [
    { "path": "test/" },
    { "path": "tests/" },
    { "path": "__tests__/" },
    { "path": "fixtures/" }
  ]
}

Inline suppression comments supported:

// fixyoursecret-disable-next-line
const token = "fake_token_for_docs_only";

CI Integration

Workflow file included:

./.github/workflows/fixyoursecret-ci.yml

It runs tests, benchmark gate, scan, and uploads SARIF.

Automated npm release workflow:

./.github/workflows/release-publish.yml
Triggered by pushing version tags like v0.4.1

Publish

npm ci
npm run quality
npm pack --dry-run
npm publish --access public

Notes

Existing users of secretlint command are still supported via alias.
Brand chosen to avoid naming collision with existing Secretlint ecosystem tooling.

License

MIT. See LICENSE.