feat: Enhanced secret scan no longer relies on env vars #6333
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
|
This pull request adds or modifies JavaScript ( |
|
This pull request adds or modifies JavaScript ( |
pieh
reviewed
May 21, 2025
pieh
reviewed
May 21, 2025
pieh
reviewed
May 21, 2025
pieh
reviewed
May 21, 2025
pieh
reviewed
May 21, 2025
|
This pull request adds or modifies JavaScript ( |
pieh
reviewed
May 22, 2025
| // Note: Using the global flag (g) means this regex object maintains state between executions. | ||
| // We would need to reset lastIndex to 0 if we wanted to reuse it on the same string multiple times. | ||
| const likelySecretRegex = new RegExp( | ||
| `(?:["'\`]|^|[=:,]) *(?:${prefixMatchingRegex})[^ "'\`=:,]{${MIN_CHARS_AFTER_PREFIX}}[^ "'\`=:,]*?(?:["'\`]|[ =:,]|$)`, |
There was a problem hiding this comment.
Could we use capturing group for token so that we don't have to do massaging after finding a match later in?
const token = match[0].replace(/^["'`=:, ]+|["'`=:, ]+$/g, '')
Suggested change
| `(?:["'\`]|^|[=:,]) *(?:${prefixMatchingRegex})[^ "'\`=:,]{${MIN_CHARS_AFTER_PREFIX}}[^ "'\`=:,]*?(?:["'\`]|[ =:,]|$)`, | |
| `(?:["'\`]|^|[=:,]) *(?<token>(?:${prefixMatchingRegex})[^ "'\`=:,]{${MIN_CHARS_AFTER_PREFIX}}[^ "'\`=:,]*?)(?:["'\`]|[ =:,]|$)`, |
And later
-let match
+let match: RegExpExecArray | null
while ((match = likelySecretRegex.exec(line)) !== null) {
- const token = match[0].replace(/^["'`=:, ]+|["'`=:, ]+$/g, '')
+ const token = match.groups?.token
pieh
reviewed
May 22, 2025
|
This pull request adds or modifies JavaScript ( |
pieh
approved these changes
May 22, 2025
…y-on-value-being-an-env-var
|
This pull request adds or modifies JavaScript ( |
aitchiss
deleted the
suzanne/wrfl-2554-enhanced-scan-shouldnt-rely-on-value-being-an-env-var
branch
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🎉 Thanks for submitting a pull request! 🎉
Summary
Fixes https://linear.app/netlify/issue/WRFL-2554/enhanced-scan-shouldnt-rely-on-value-being-an-env-var
The users most at risk of shipping secrets to production accidentally are folks who haven't configured env vars yet. This PR switches up the implementation of the enhanced secret scan so that we don't rely on env vars at all.
Previously: all env vars checked in case they are secrets, and just haven't been marked as 'secret' by the user
Now: we check file content directly for anything that looks like a secret (based on length and prefix), and if we find one we fail the build
This PR also:
ENHANCED_SECRETS_SCAN_OMIT_VALUESandENHANCED_SECRETS_SCAN_ENABLEDto allow users to opt out of the new functionality or safelist values without sacrificing the explicit secrets env var checksFor us to review and ship your PR efficiently, please perform the following steps:
we can discuss the changes and get feedback from everyone that should be involved. If you`re fixing a typo or
something that`s on fire 🔥 (e.g. incident related), you can skip this step.
your code follows our style guide and passes our tests.
A picture of a cute animal (not mandatory, but encouraged)