Bug Fixes

• secretlint-rule-no-k8s-kind-secret: fix detect logic (d0cbab7)

Bug Fixes

• core: fix placeholder assertion for rule (c48b380), closes #116

secretlint throw an error Error: Placeholder:{{XXX}} still existed. when reporting message includes {{XXXX}} after formatted.

This assertion logic is wrong. secretlint 1.0.4 fix assertion.

✨ New Rules

@secretlint/secretlint-rule-no-k8s-kind-secret

@secretlint/secretlint-rule-no-k8s-kind-secret disallow to use Kind: Secret manifest in a repository.

Kubernetes's Kind: Secret includes credentials as plain format.
It just base64 encoded value.

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: YWRtaW4=
  password: MWYyZDFlMmU2N2Rm

So, Kind: Secret manifest is not committable file into a repository.

• Secrets - Kubernetes

In GitOps context, you can use another solution like SealedSecret, Vault etc...

• GitOps - Frequently Asked Questions
• Secret Management - Argo CD - Declarative GitOps CD for Kubernetes

Installtion

You can install it with npm

npm install @secretlint/secretlint-rule-no-k8s-kind-secret

and edit .secretlintrc.json

{
    "rules": [
        {
            "id": "@secretlint/secretlint-rule-preset-recommend"
        },
        {
            "id": "@secretlint/secretlint-rule-no-k8s-kind-secret"
        }
    ]
}

✨ New Rules

@secretlint/secretlint-rule-secp256k1-privatekey

@mtsalenc implemented @secretlint/secretlint-rule-secp256k1-privatekey in #103

This rule to check against the inclusion of secp256k1 private keys, used by the Bitcoin and Ethereum blockchains.

You can install it with npm

npm install @secretlint/secretlint-rule-secp256k1-privatekey

and edit .secretlintrc.json

{
    "rules": [
        {
            "id": "@secretlint/secretlint-rule-preset-recommend"
        },
        {
            "id": "@secretlint/secretlint-rule-secp256k1-privatekey"
        }
    ]
}

Bug Fixes

secretlint-rule-secp256k1-privatekey: handle thrown exception due to invalid key (#110) (320b344)

A check is missed. secp256k1.privateKeyVerify() can throw for invalid keys as well.

Secretlint 1.0.0 is Released 🎉

Secretlint is pluggable linting tool to prevent committing credential like SSH private key, GCP Access token, AWS Access Token, Slack Token, and npm auth token

This is first stable version of secretlint.
Secretlint adopt Semantic Versioning Policy.
It means that major update includes breaking changes.

What is Secretlint?

Secretlint is that Pluggable linting tool to prevent committing credential.
Secretlint is similar with ESLint or textlint.

💡 Secretlint has primitive feature that scan your files and report credentials in your files.

You can use Secretlint in one-line command.

If you already have installed Docker:

docker run -v `pwd`:`pwd` -w `pwd` --rm -it secretlint/secretlint secretlint "**/*"

If you already have installed Node.js:

npx @secretlint/quick-start "**/*"

Secretlint report error If your files inclues credentials like SSH private key, GCP Access token, AWS Access Token, Slack Token, and npm auth token.
Because it is secret data!

For more details, Please see Installtion guide

• https://github.com/secretlint/secretlint#installation

We have provided Secretlint as Docker Image and Node.js CLI.
In near future, We also a single binary edition for Secretlint.

Why Secretlint?

In the world, Already exist credential scanner tools like awslabs/git-secrets, truffleHog, detect-secrets, and more.

Secretlint has a Philosophy.

• Reduce false-positive of linting
• Integration to developing workflow
• Empower Users to Contribute

Reduce false-positive of linting

In our experience, false-positive is biggest issue of litting tools.
(Secretlint creator is same with textlint)
So, We are working that reduce false-positive in secretlint rules.

Secretlint adopt Opt-in instead of Opt-out.
It means that You can select a rule and introduce the rule by own.
However, Select everything is hard and We also provide recommened rule set.

Integration to developing workflow

Secretlint is Project Friendly tool.
It is easy to integrate your CI service like Circle CI, and GitHub ACtions.
by Some Pull Request includes credentila, CI can fail it.

• https://github.com/secretlint/secretlint#ci

Also, you can integrate Secretlint with Git Pre-commit hook.
This integration prevent you to commit credential into your priject.

• https://github.com/secretlint/secretlint#pre-commit-hook-per-project

Empower Users to Contribute

Secretlint adopt pluggable archtecture.
So, you can write own secretlint rule and use it.

Next development guide describe how to create secretelint rule.

• https://github.com/secretlint/secretlint/blob/master/docs/secretlint-rule.md

This concept also effect secretlint core implementation.
@secretlint/core has not built-in rules.
Instead of it, We created @secretlint/secretlint-rule-preset-recommend as separated packages.

Next Secretlint

Secretlint is first stage yet.
We will improve secretlint for getting continuous security.

If you want to contribute, please see label:good first issue and help wanted.

Patch Release.

No meaningfull changes.

Maybe, This is last minor version before 1.0.0.

Features

• core: support locale options (256a58c)

$ secretlint --locale ja "**/*"

This is bump only release.

No affect for user.

This is bump only releases.

This release is only bump 0.9.0.

We adopt new release flow #88
For more details, see https://github.com/secretlint/secretlint/blob/master/CONTRIBUTING.md#release-flow

0.4.1 (2020-02-28)

Bug Fixes

• aws: remove console.log (0bf11ae)

0.4.0 (2020-02-28)

Bug Fixes

• binary-compiler: use name includes OS (a89e599)

Features

• core: support "disabled" options (17c1391)
• core: support "disabledMessages" options (17de33e)
• core: support Context#ignore method (7ca0445)
• types: rule require messages (412803e)