secure-push-guard
v1.0.1
Published
Git-integrated security scanner for detecting secrets and unsafe code before commit
Downloads
177
Readme
🔐 SecurePush
SecurePush is a Git-integrated security scanner that prevents insecure code and sensitive information from entering version control. It automatically scans staged files before commits and blocks high-risk changes using Husky pre-commit hooks.
Features
AST-Based Security Analysis
SecurePush uses Abstract Syntax Tree (AST) traversal to detect:
- Hardcoded secrets
- Dangerous
eval()usage - Unsafe
innerHTMLassignments
Rule-Based Security Detection
Detects common security risks such as:
- MongoDB connection URIs
- Sensitive committed files (
.env,.pem,.key) - Debugger statements
Entropy Analysis
Identifies suspicious high-entropy strings that may represent:
- API Keys
- JWT Tokens
- Access Tokens
- Secrets
Git Hook Integration
Automatically scans staged files before every commit using Husky.
Custom Ignore System
Supports repository-specific exclusions through:
.secureignoreCommit Protection
Blocks commits when HIGH or MEDIUM severity issues are detected.
Architecture
Git Commit
│
▼
Husky Pre-Commit Hook
│
▼
SecurePush Scanner
│
├── AST Analysis
├── Regex Rules
├── Entropy Analysis
└── Sensitive File Detection
│
▼
Security Report
│
▼
Allow Commit / Block CommitInstallation
Clone the repository:
git clone https://github.com/Mayank-path/SECURE_PUSH.git
cd SECURE_PUSHInstall dependencies:
npm installVerify the installation:
npm run scanUsage
Scan staged files:
node bin/index.jsCommit normally:
git add .
git commit -m "message"SecurePush will automatically run before the commit is created.
Example Security Detection
Hardcoded Secret
const password = "admin123";Output:
[HIGH] AST Hardcoded Secret
[BLOCKED] Push blocked due to security issuesDangerous Eval
eval("console.log('danger')");Output:
[HIGH] AST Dangerous EvalUnsafe innerHTML
document.body.innerHTML = userInput;Output:
[MEDIUM] AST Unsafe innerHTMLScreenshots
Security Issues Detected
Commit Blocked
Clean Security Scan
Supported Detections
| Severity | Detection | | -------- | ------------------------ | | HIGH | AST Hardcoded Secret | | HIGH | AST Dangerous Eval | | HIGH | MongoDB URI | | HIGH | Sensitive File Committed | | MEDIUM | AST Unsafe innerHTML | | MEDIUM | High Entropy Secret | | LOW | Debugger Statement |
Project Structure
SECURE_PUSH
│
├── bin
│ └── index.js
│
├── src
│ ├── astScanner.js
│ ├── entropy.js
│ ├── git.js
│ ├── reporter.js
│ ├── rules.js
│ └── scanner.js
│
├── .husky
├── .secureignore
├── package.json
└── README.mdFuture Improvements
- Additional AST security rules
- GitHub Actions integration
- NPM package publishing
- Repository-wide audit mode
Why SecurePush?
Most secret leaks occur because sensitive data reaches Git history before review. SecurePush shifts security left by identifying vulnerabilities during development and preventing risky code from being committed in the first place.
License
This project is licensed under the MIT License.
