Secretlint founds credentials that are included in your request/response.
- Firefox: https://addons.mozilla.org/ja/firefox/addon/secretlint/
- Chrome: https://chrome.google.com/webstore/detail/secretlint/hidpojbnemkajlnibhmeilpgoddkjjkf
- Install from Source: See Development section
This Web Extension integrate secretlint with browser's devTools.
๐ If you want to run secretelint as command line tools, please see secretlint/secretlint.
- Check that request/response includes credentials
- DevTools integration
- Output found credentials to "Console" panel(option)
- Output found credentials to "Secretlint" panel
This extension requires following permissions
"<all_urls>"- It is used for extending devTools and "Console Integration"
- devtools API requires this permission
- "Console Integration" uses content_scripts. Content Scripts require this permission
- Related issue: Reduce to use content scripts ยท Issue #5
"webNavigation"- It is used for clearing lint messages when move pages
"storage"- It is used for user config
permissions is defeind in manifest.json.
๐ Other Notes
In Memory Process
This extension is written by JavaScript and It do not send your request/response to another server. All process is done in memory.
Scan timing
This exntension only scans secrents during you open developer tools. This limitation come from devtools API.
If you close the devTools, this extension does not scan any request/response.
Everyone makes mistakes.
A developer sometimes expose own credentials like OAuth token in a website accidentally.
secretlint can found credentials in file. However, The exposed credentials come from environments variables or Database, so These are not embed in a file.
We want to found these exposed credentials.
Security researcher use proxy software like Burp Suite, but web developer use DevTools instead of it.
Secretlint WebExtension integrate to DevTools in Chrome/Firefox. This extension help web developer to notice exposed credential.
- Firefox: https://addons.mozilla.org/ja/firefox/addon/secretlint/
- Chrome: https://chrome.google.com/webstore/detail/secretlint/hidpojbnemkajlnibhmeilpgoddkjjkf
- Open browser's Developer Tools
- โ Disable Cache
- Reload page and secretlint report found credentials in your request/response.
You can check the behavior using demo site:
This Web Extension use @secretlint/secretlint-rule-preset-recommend and built-in disallow patterns.
You can configure the option of secretlint extension.
- Click "Secretlint" icon on menu
- Or, See This extension's "Settings" page
Allow patterns is an array of string or RegExp-like String (/pattern/).
If you define following pattern, secretlint does not report it which is matched.
[
"/NON_SECRETS/i",
"1.1.1.1",
"AKIAIOSFODNN7SECRETS",
]Default patterns are defined in rule.allows.ts.
๐ Prefer Allow patterns than Disallow patterns.
You can add patterns and found your secrets.
These patterns are based on @secretlint/secretlint-rule-pattern. Each pattern should have following properties. If match the pattern, report it as error.
- name: pattern name
- pattern: string or RegExp-like String (/pattern/)
Default patterns are defined in rule.patterns.ts.
Build this extension from source code:
# Require Node.js and Yarn
yarn install
# Chrome
yarn dev chrome
# Firefox
yarn dev firefox
Load the built extension:
- Firefox: open
about:debugging#/runtime/this-firefoxโ Load from local - Chrome: open
chrome://extensions/โ Load from local
See Releases page.
Install devDependencies and Run npm test:
npm test
Pull requests and stars are always welcome.
For bugs and feature requests, please create an issue.
- Fork it!
- Create your feature branch:
git checkout -b my-new-feature - Commit your changes:
git commit -am 'Add some feature' - Push to the branch:
git push origin my-new-feature - Submit a pull request :D
MIT ยฉ azu