noSecrets
¥Summary
-
规则生效日期:
v1.9.0¥Rule available since:
v1.9.0 -
¥Diagnostic Category:
lint/security/noSecrets -
此规则没有修复方案。
¥This rule doesn’t have a fix.
-
此规则的默认严重级别为 information。
¥The default severity of this rule is information.
-
来源:
¥Sources:
-
¥Inspired from
no-secrets/no-secrets
-
¥How to configure
{ "linter": { "rules": { "security": { "noSecrets": "error" } } }}¥Description
禁止使用敏感数据,例如 API 密钥和令牌。
¥Disallow usage of sensitive data such as API keys and tokens.
此规则检查高熵字符串,并匹配密钥的常见模式,包括 AWS 密钥、Slack 令牌和私钥。它旨在帮助用户识别代码库中潜在的秘密泄露,尤其适用于那些可能尚未意识到敏感数据泄露风险的用户。
¥This rule checks for high-entropy strings and matches common patterns for secrets, including AWS keys, Slack tokens, and private keys. It aims to help users identify immediate potential secret leaks in their codebase, especially for those who may not be aware of the risks associated with sensitive data exposure.
检测到的密钥
Section titled “检测到的密钥”¥Detected Secrets
以下列表包含我们检测到的模式:
¥The following list contains the patterns we detect:
-
JSON Web Token (JWT):
ey...格式的令牌¥JSON Web Token (JWT): Tokens in the format of
ey... -
Base64 编码的 JWT:包含各种参数(alg、aud、iss 等)的 Base64 编码 JWT 令牌
¥Base64-encoded JWT: Base64-encoded JWT tokens with various parameters (alg, aud, iss, etc.)
-
Slack Token:类似
xox[baprs]-...的令牌¥Slack Token: Tokens such as
xox[baprs]-... -
Slack Webhook URL:类似
https://hooks.slack.com/services/...的 URL¥Slack Webhook URL: URLs like
https://hooks.slack.com/services/... -
GitHub Token:GitHub 令牌长度为 35-40 个字符
¥GitHub Token: GitHub tokens with lengths between 35-40 characters
-
Twitter OAuth 令牌:长度在 35-44 个字符之间的 Twitter OAuth 令牌
¥Twitter OAuth Token: Twitter OAuth tokens with lengths between 35-44 characters
-
Facebook OAuth 令牌:Facebook OAuth 令牌的长度最多可达 42 个字符。
¥Facebook OAuth Token: Facebook OAuth tokens with possible lengths up to 42 characters
-
Google OAuth Token:格式为
ya29...的 Google OAuth 令牌¥Google OAuth Token: Google OAuth tokens in the format
ya29... -
AWS API 密钥:以
AKIA开头,后跟 16 个字母数字字符的键¥AWS API Key: Keys that begin with
AKIAfollowed by 16 alphanumeric characters -
URL 中的密码:URL 凭据中包含的密码 (
protocol://user:pass@...)¥Passwords in URLs: Passwords included in URL credentials (
protocol://user:pass@...) -
Google 服务账户:包含服务账户标识符的 JSON 结构
¥Google Service Account: JSON structure with the service-account identifier
-
Twilio API 密钥:API 密钥以
SK...开头,后跟 32 个字符¥Twilio API Key: API keys starting with
SK...followed by 32 characters -
RSA 私钥:以
-----BEGIN RSA PRIVATE KEY-----开头的键块¥RSA Private Key: Key blocks that start with
-----BEGIN RSA PRIVATE KEY----- -
OpenSSH 私钥:以
-----BEGIN OPENSSH PRIVATE KEY-----开头的键块¥OpenSSH Private Key: Key blocks that start with
-----BEGIN OPENSSH PRIVATE KEY----- -
DSA 私钥:以
-----BEGIN DSA PRIVATE KEY-----开头的键块¥DSA Private Key: Key blocks that start with
-----BEGIN DSA PRIVATE KEY----- -
EC 私钥:以
-----BEGIN EC PRIVATE KEY-----开头的键块¥EC Private Key: Key blocks that start with
-----BEGIN EC PRIVATE KEY----- -
PGP 私钥块:以
-----BEGIN PGP PRIVATE KEY BLOCK-----开头的键块¥PGP Private Key Block: Key blocks that start with
-----BEGIN PGP PRIVATE KEY BLOCK-----
¥Entropy Check
除了检测上述模式之外,我们还使用字符串熵检查器来根据熵(随机性)捕获潜在的秘密信息。熵检查器可通过 entropyThreshold 选项进行配置(见下文),允许自定义字符串熵阈值,以微调检测并最大限度地减少误报。
¥In addition to detecting the above patterns, we also employ a string entropy checker to catch potential secrets based on their entropy (randomness). The entropy checker is configurable through the entropyThreshold option (see below), allowing customization of thresholds for string entropy to fine-tune detection and minimize false positives.
¥Disclaimer
虽然这条规则有助于处理大多数常见情况,但它并非旨在涵盖所有情况。因此,请务必仔细审查你的代码,并考虑实现额外的安全措施,例如在 CI/CD 和 Git 流水线中自动进行秘密扫描。
¥While this rule helps with most common cases, it is not intended to handle all of them. Therefore, always review your code carefully and consider implementing additional security measures, such as automated secret scanning in your CI/CD and git pipeline.
¥Recommendations
一些推荐的用于更全面地检测秘密代码的工具包括:
¥Some recommended tools for more comprehensive secret detection include:
-
SonarQube:带有秘密扫描器的 Clean Code 扫描解决方案(社区版)。
¥SonarQube: Clean Code scanning solution with a secret scanner (Community version).
-
Gitleaks:一款成熟的密钥扫描工具。
¥Gitleaks: A mature secret scanning tool.
-
Trufflehog:一个用于在 Git 历史记录中查找秘密的工具。
¥Trufflehog: A tool for finding secrets in git history.
-
Sensleak:基于 Rust 的秘密检测解决方案。
¥Sensleak: A Rust-based solution for secret detection.
¥Examples
¥Invalid
const secret = "AKIA1234567890EXAMPLE";code-block.js:1:16 lint/security/noSecrets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ℹ Potential secret found.
> 1 │ const secret = “AKIA1234567890EXAMPLE”;
│ ^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ Type of secret detected: AWS API Key
ℹ Storing secrets in source code is a security risk. Consider the following steps:
1. Remove the secret from your code. If you’ve already committed it, consider removing the commit entirely from your git tree.
2. If needed, use environment variables or a secure secret management system to store sensitive data.
3. If this is a false positive, consider adding an inline disable comment, or tweak the entropy threshold. See options in our docs.
This rule only catches basic vulnerabilities. For more robust, proper solutions, check out our recommendations at: https://biome.nodejs.cn/linter/rules/no-secrets/#recommendations
¥Valid
const nonSecret = "hello world";¥Options
该规则支持以下选项:
¥The rule supports the following option:
{ "linter": { "rules": { "security": { "noSecrets": { "options": { "entropyThreshold": 41 } } } } }}entropyThreshold
Section titled “entropyThreshold”设置高熵检测阶段的灵敏度阈值。底层算法计算字符串标记的调整熵得分;如果得分超过 entropyThreshold / 10(例如 41 => 4.1),且字符串不匹配任何已知的安全模式,则会被报告为潜在的秘密信息。
¥Sets the sensitivity threshold for the high‑entropy detection pass.
The underlying algorithm computes an adjusted entropy score for string tokens; if the score
exceeds entropyThreshold / 10 (e.g. 41 => 4.1), and the string does not match any known
safe pattern, it is reported as a potential secret.
增加此值以减少误报(更严格:标记的字符串更少)。降低此值可提高灵敏度(标记更多字符串)。
¥Increase the value to reduce false positives (stricter: fewer strings flagged). Decrease the value to increase sensitivity (more strings flagged).
默认:
41¥Default:
41
提高阈值(减少检测次数)的示例:
¥Example raising the threshold (fewer detections):
{ "linter": { "rules": { "security": { "noSecrets": { "options": { "entropyThreshold": 50 } } } } }}¥Related links
Biome v2.1 中文网 - 粤ICP备13048890号