Lines 4-50javascript
4const os = require('os');
5const path = require('path');
6const { execFileSync } = require('child_process');
7const SecretScanner = require('./secret-scanner');
9function createTempRepo() {
10 const rootPath = fs.mkdtempSync(path.join(os.tmpdir(), 'thuban-secret-scanner-'));
11 execFileSync('git', ['init'], { cwd: rootPath, stdio: 'ignore' });
12 execFileSync('git', ['config', 'user.email', 'test@example.com'], { cwd: rootPath, stdio: 'ignore' });
13 execFileSync('git', ['config', 'user.name', 'Test User'], { cwd: rootPath, stdio: 'ignore' });
17test('detects hardcoded secrets, .env exposure, and history leaks', async () => {
18 const rootPath = createTempRepo();
20 fs.writeFileSync(path.join(rootPath, '.gitignore'), 'node_modules/\n');
22 path.join(rootPath, 'config.js'),
24 'const stripe = "sk_live_1234567890abcdefghijklmnop";',
CriticalCritical Secret
Package contains a critical-looking secret pattern.
packages/scanner/secret-scanner.test.jsView on unpkg · L24 CriticalSecret Pattern
Stripe live secret key in packages/scanner/secret-scanner.test.js
packages/scanner/secret-scanner.test.jsView on unpkg · L24 25 'const password = "SuperSecret123!";',
MediumSecret Pattern
Hardcoded password in packages/scanner/secret-scanner.test.js
packages/scanner/secret-scanner.test.jsView on unpkg · L25 26 'const token = "Bearer abcdefghijklmnopqrstuvwxyz123456";',
27 'const db = "postgres://appuser:dbpassword@localhost:5432/app";'
30 fs.writeFileSync(path.join(rootPath, '.env'), 'API_KEY=AIzaSyA123456789012345678901234567890123\n');
HighSecret Pattern
Google API key in packages/scanner/secret-scanner.test.js
packages/scanner/secret-scanner.test.jsView on unpkg · L30 32 execFileSync('git', ['add', '.'], { cwd: rootPath, stdio: 'ignore' });
33 execFileSync('git', ['commit', '-m', 'initial'], { cwd: rootPath, stdio: 'ignore' });
35 fs.writeFileSync(path.join(rootPath, 'removed.js'), 'const oldKey = "ghp_abcdefghijklmnopqrstuvwxyz123456";\n');
36 execFileSync('git', ['add', 'removed.js'], { cwd: rootPath, stdio: 'ignore' });
37 execFileSync('git', ['commit', '-m', 'add leaked token'], { cwd: rootPath, stdio: 'ignore' });
38 fs.unlinkSync(path.join(rootPath, 'removed.js'));
39 execFileSync('git', ['add', '-A'], { cwd: rootPath, stdio: 'ignore' });
40 execFileSync('git', ['commit', '-m', 'remove leaked token'], { cwd: rootPath, stdio: 'ignore' });
42 const scanner = new SecretScanner({ rootPath });
43 const result = await scanner.scanAll();
45 assert.ok(result.issues.some((issue) => issue.type === 'Stripe Secret Key'));
46 assert.ok(result.issues.some((issue) => issue.type === 'Hardcoded Password or Secret Assignment'));
47 assert.ok(result.issues.some((issue) => issue.type === 'Database Connection String with Password'));
48 assert.ok(result.issues.some((issue) => issue.type === '.env File Present'));
49 assert.ok(result.issues.some((issue) => issue.type.includes('Git History')));
50 assert.ok(result.summary.bySeverity.critical >= 1);