-
-
Notifications
You must be signed in to change notification settings - Fork 487
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 noSecrets false positives #4113
Comments
@SaadBazaz are you interested looking into this? |
Related to #3861 |
Will look into these this weekend, tomorrow most likely. I think I can find a way around for these. My proposal: We should add another heuristic called "containsSpaces" which checks only specific regexes which have the heuristic. The high entropy check should not have spaces. |
Maybe JsStringIdentifier(or whichever I used in code) needs some modification? Because I don't understand how the plugins would affect that. |
Great lint rule! Here’s few false positives I caught in my current project (links to playground):
|
2¢: character sets for custom IDs etc. That looks like a secret for sure, but it’s actually a low entropy string, high in alphanumeric order, if you will. import { customAlphabet } from 'nanoid'
export const shortId = customAlphabet(
// biome-ignore lint/nursery/noSecrets:
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz',
12
) |
Have you some entropy algorithms to suggest? |
After thinking about it for a bit, I would suggest to turn the way we detect generic secrets on its head: Secrets (by which we really mean API Keys + Tokens here, because human-readable passwords are basically impossible to detect except via contextual clues) are usually a continguous string of text without spaces, so looking at segments delimited by Of those segments, most of them should fall into one of four classes classes:
So, instead of:
I would propose thinking about it as:
Footnotes
|
So, putting it all together:
Plus some filter that supresses occurences that
Further notes:
|
Environment information
What happened?
Some false positives I found when turning the rule on.
Verify OTP Google Mobile Authenticator (2FAS)
playground0 USD,,. for {bitlocus|string}.
playground only occurs with object property and not variable, which is stange.Verifying takes 15 approved the following 3.
playgroundfacebook.com |console.aws.amazon.com
playgroundISO-27001 information , GDPR
playgroundThere are more, but I hope fixing these would prevent most others.
Expected result
No false positives or at least fewer
Code of Conduct
The text was updated successfully, but these errors were encountered: