feat: Enhanced secret scan no longer relies on env vars #6333

aitchiss · 2025-05-19T10:47:06Z

🎉 Thanks for submitting a pull request! 🎉

Summary

Fixes https://linear.app/netlify/issue/WRFL-2554/enhanced-scan-shouldnt-rely-on-value-being-an-env-var

The users most at risk of shipping secrets to production accidentally are folks who haven't configured env vars yet. This PR switches up the implementation of the enhanced secret scan so that we don't rely on env vars at all.

Previously: all env vars checked in case they are secrets, and just haven't been marked as 'secret' by the user
Now: we check file content directly for anything that looks like a secret (based on length and prefix), and if we find one we fail the build

This PR also:

improves logging to disambiguate "likely secrets" vs "secret env vars" detected
provides for env var ENHANCED_SECRETS_SCAN_OMIT_VALUES and ENHANCED_SECRETS_SCAN_ENABLED to allow users to opt out of the new functionality or safelist values without sacrificing the explicit secrets env var checks

For us to review and ship your PR efficiently, please perform the following steps:

Open a bug/issue before writing your code 🧑‍💻. This ensures
we can discuss the changes and get feedback from everyone that should be involved. If you`re fixing a typo or
something that`s on fire 🔥 (e.g. incident related), you can skip this step.
Read the contribution guidelines 📖. This ensures
your code follows our style guide and passes our tests.
Update or add tests (if any source code was changed or added) 🧪
Update or add documentation (if features were changed or added) 📝
Make sure the status checks below are successful ✅

A picture of a cute animal (not mandatory, but encouraged)

…et scan omit key

…l scan

github-actions · 2025-05-21T09:35:50Z

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

pieh · 2025-05-22T09:22:47Z

packages/build/src/plugins_core/secrets_scanning/utils.ts

+// Note: Using the global flag (g) means this regex object maintains state between executions.
+// We would need to reset lastIndex to 0 if we wanted to reuse it on the same string multiple times.
+const likelySecretRegex = new RegExp(
+ `(?:["'\`]|^|[=:,]) *(?:${prefixMatchingRegex})[^ "'\`=:,]{${MIN_CHARS_AFTER_PREFIX}}[^ "'\`=:,]*?(?:["'\`]|[ =:,]|$)`,


Could we use capturing group for token so that we don't have to do massaging after finding a match later in?

const token = match[0].replace(/^["'`=:, ]+|["'`=:, ]+$/g, '')

Suggested change

`(?:["'\`]|^|[=:,]) *(?:${prefixMatchingRegex})[^ "'\`=:,]{${MIN_CHARS_AFTER_PREFIX}}[^ "'\`=:,]*?(?:["'\`]|[ =:,]|$)`,

`(?:["'\`]|^|[=:,]) *(?<token>(?:${prefixMatchingRegex})[^ "'\`=:,]{${MIN_CHARS_AFTER_PREFIX}}[^ "'\`=:,]*?)(?:["'\`]|[ =:,]|$)`,

And later

-let match +let match: RegExpExecArray | null while ((match = likelySecretRegex.exec(line)) !== null) { - const token = match[0].replace(/^["'`=:, ]+|["'`=:, ]+$/g, '') + const token = match.groups?.token

packages/build/src/plugins_core/secrets_scanning/utils.ts

github-actions · 2025-05-22T09:43:32Z

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

…y-on-value-being-an-env-var

github-actions · 2025-05-23T09:05:06Z

This pull request adds or modifies JavaScript (.js, .cjs, .mjs) files.
Consider converting them to TypeScript.

aitchiss added 5 commits May 16, 2025 16:44

feat: enhanced secret scan doesn't rely on env vars

de2382f

feat: find likely secrets

0416c8a

feat: only find likely secrets when enhanced scan is true

9d79592

feat: handle the reporting of enhanced scan, add tests

1f3ccd7

feat: ignore an enhanced scan match if the value is ignored with secr…

dd24ac8

…et scan omit key

github-actions bot added the Adds or modifies js files label May 19, 2025

aitchiss added 2 commits May 19, 2025 11:50

fix: type

6e2f5c6

feat: allow the enhanced scanning to be switched off

2bdaa36