Skip to content

Detect secrets in your request/response using secretlint.

License

Notifications You must be signed in to change notification settings

secretlint/webextension

Repository files navigation

Secretlint WebExtension

Secretlint founds credentials that are included in your request/response.

This Web Extension integrate secretlint with browser's devTools.

screenshot

πŸ“ If you want to run secretelint as command line tools, please see secretlint/secretlint.

Features

  • Check that request/response includes credentials
  • DevTools integration
    • Output found credentials to "Console" panel(option)
    • Output found credentials to "Secretlint" panel

Permissions

This extension requires following permissions

permissions is defeind in manifest.json.

πŸ“ Other Notes

In Memory Process

This extension is written by JavaScript and It do not send your request/response to another server. All process is done in memory.

Scan timing

This exntension only scans secrents during you open developer tools. This limitation come from devtools API.

If you close the devTools, this extension does not scan any request/response.

Motivation

Everyone makes mistakes.

A developer sometimes expose own credentials like OAuth token in a website accidentally.

secretlint can found credentials in file. However, The exposed credentials come from environments variables or Database, so These are not embed in a file.

We want to found these exposed credentials.

Security researcher use proxy software like Burp Suite, but web developer use DevTools instead of it.

Secretlint WebExtension integrate to DevTools in Chrome/Firefox. This extension help web developer to notice exposed credential.

Install

Usage

  1. Open browser's Developer Tools
  2. βœ… Disable Cache
  3. Reload page and secretlint report found credentials in your request/response.

You can check the behavior using demo site:

Built-in rules

This Web Extension use @secretlint/secretlint-rule-preset-recommend and built-in disallow patterns.

Config

You can configure the option of secretlint extension.

  • Click "Secretlint" icon on menu
  • Or, See This extension's "Settings" page

Allow Patterns

Allow patterns is an array of string or RegExp-like String (/pattern/).

If you define following pattern, secretlint does not report it which is matched.

[
    "/NON_SECRETS/i",
    "1.1.1.1",
    "AKIAIOSFODNN7SECRETS",
]

Default patterns are defined in rule.allows.ts.

πŸ“ Prefer Allow patterns than Disallow patterns.

Disallow Patterns

You can add patterns and found your secrets.

These patterns are based on @secretlint/secretlint-rule-pattern. Each pattern should have following properties. If match the pattern, report it as error.

Default patterns are defined in rule.patterns.ts.

Development

Build this extension from source code:

# Require Node.js and Yarn
yarn install
# Chrome
yarn dev chrome
# Firefox
yarn dev firefox

Load the built extension:

  • Firefox: open about:debugging#/runtime/this-firefox β†’ Load from local
  • Chrome: open chrome://extensions/ β†’ Load from local

Changelog

See Releases page.

Running tests

Install devDependencies and Run npm test:

npm test

Contributing

Pull requests and stars are always welcome.

For bugs and feature requests, please create an issue.

  1. Fork it!
  2. Create your feature branch: git checkout -b my-new-feature
  3. Commit your changes: git commit -am 'Add some feature'
  4. Push to the branch: git push origin my-new-feature
  5. Submit a pull request :D

Author

License

MIT Β© azu