Skip to content

ssanidhya0407/fixyoursecret

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Repository files navigation

FixYourSecret logo

FixYourSecret

Most scanners stop at finding secrets. FixYourSecret ranks each leak by real exploitability, generates the backend fix, and walks you through rotation — then gates CI so it never comes back.

npm version Node >= 20 License: MIT CI

Why FixYourSecret Is Different

A long list of leaked strings isn't a fix — it's a to-do list. FixYourSecret closes the loop:

Find-only scanners FixYourSecret
Detect leaked keys & tokens
Scan full git history (deleted commits)
Rank by real exploitability (frontend exposure → HIGH)
Generate the fix (backend proxy + frontend patch)
Guide key rotation + update .env
CI gate + SARIF + custom rules

The difference is prioritization and remediation. A key in src/components/ is shipping to every browser; the same key in a backend .env is far less urgent — FixYourSecret knows the difference, marks the exploitable one HIGH, hands you a generated proxy to move it server-side, and walks you through rotating it.

The workflow

  1. Find exposed keys and tokens — across the working tree or full git history.
  2. Prioritize by risk — frontend exposure is escalated to HIGH automatically.
  3. Fix — generate a backend proxy + frontend patch so the secret leaves the client.
  4. Rotate — guided, safe key rotation that updates your .env.
  5. Gate CI — SARIF + a one-line GitHub Action so regressions never slip back in.

Accuracy you can verify

Measured against a labeled corpus with ground truth (known secrets planted at known locations + realistic hard negatives): precision 1.000 · recall 1.000 · F1 1.000. Reproduce it yourself with npm run benchmark:corpus — details in Accuracy.

What It Detects

Built-in detectors currently include:

  • OpenAI
  • Google
  • AWS Access Key IDs
  • Stripe Secret Keys
  • Slack Tokens
  • GitHub Tokens
  • GitLab Tokens
  • Twilio API Keys
  • SendGrid API Keys
  • Mailgun API Keys
  • Anthropic API Keys
  • Cohere API Keys
  • Hugging Face Tokens
  • Telegram Bot Tokens
  • npm Tokens
  • Private Key Blocks
  • Generic High-Entropy Tokens

Core Commands

Command What it does
fixyoursecret scan Scans current codebase and reports risky findings
fixyoursecret history 20 Scans files touched in last N commits
fixyoursecret history all Scans the full git history (all branches), catching secrets in deleted/old commits with commit attribution
fixyoursecret ci CI-focused SARIF scan with safer defaults
fixyoursecret fix Generates backend proxy + frontend patch helper
fixyoursecret rotate openai Guides secure key rotation and updates .env
fixyoursecret hook install Installs a pre-commit protection hook

Install

npm install -g fixyoursecret
fixyoursecret --help

For local development of this repo:

npm install
npm test
npm link

Compatibility alias also works:

secretlint --help

60-Second Quick Start

fixyoursecret init
fixyoursecret scan --verify safe
fixyoursecret history 30 --verify safe
fixyoursecret fix --output fixyoursecret-output
fixyoursecret rotate openai --dry-run
fixyoursecret hook install

Example Output

[HIGH] OpenAI key exposed in frontend
File: demo/src/App.js:12
Detector: openai-api-key
Risk: HIGH
Fix: Move secret to backend and call internal proxy endpoint

Verification Mode

Use verification when you want fewer false positives:

fixyoursecret scan --verify safe
fixyoursecret scan --verify safe --verify-strict

safe mode uses provider-safe structural checks only (no external API calls).

Custom Rules

Flag your own internal token formats without forking. Add a customRules array to .fixyoursecretrc.json:

{
  "customRules": [
    {
      "id": "acme-internal-token",
      "regex": "acme_[a-f0-9]{32}",
      "severity": "high",
      "issue": "Acme internal token exposed"
    }
  ]
}
Field Required Notes
id yes Unique rule name; shown as the finding's rule.
regex yes JavaScript regex. If it has a capture group, group 1 is treated as the secret value.
severity no low | medium | high (default high). Escalates to high automatically on frontend exposure.
issue no Human-readable description.
confidence no low | medium | high (default medium).
flags no Regex flags (g is always applied).

Rules with an invalid or duplicate regex are skipped rather than failing the scan. Custom findings are treated as verified, so they survive --verify-strict.

Baseline Support

Baselines let teams adopt secret scanning without breaking every existing build on day one.

fixyoursecret scan --update-baseline
fixyoursecret scan

CI and Security Platform Output

Generate SARIF for GitHub code scanning or other platforms:

fixyoursecret ci --output-file fixyoursecret.sarif

GitHub Action

Add secret scanning to any repo in one step. Findings appear in the Security → Code scanning tab and the build fails on high-severity leaks:

# .github/workflows/secrets.yml
name: Secret Scan
on: [push, pull_request]
permissions:
  contents: read
  security-events: write
jobs:
  fixyoursecret:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: ssanidhya0407/fixyoursecret@v1
        with:
          fail-on: high      # low | medium | high
          verify: safe       # none | safe

Inputs: path, fail-on, verify, sarif-file, upload-sarif, version, args.

Pre-commit hook (pre-commit.com)

Block secrets before they are committed. Add to .pre-commit-config.yaml:

repos:
  - repo: https://github.com/ssanidhya0407/fixyoursecret
    rev: v0.6.0   # or the latest release
    hooks:
      - id: fixyoursecret

Then pre-commit install. The hook scans staged changes and blocks the commit on high-severity findings. (For a zero-dependency local hook instead, run fixyoursecret hook install.)

Accuracy

FixYourSecret ships a labeled-corpus benchmark that measures true precision and recall against ground truth — known secrets planted at known locations, alongside realistic hard negatives (hashes, UUIDs, data URIs, model names, example keys) that must stay clean.

Metric Score
Precision 1.000
Recall 1.000
F1 1.000

15 planted secrets across 10+ file types and frontend/backend paths; 10 hard-negative files. Reproduce with npm run benchmark:corpus.

For real-world false-positive validation, npm run benchmark:corpus:real additionally clones popular public repositories and folds their findings into the precision measurement.

Quality Gates and Tuning

This repo ships with benchmark and multi-repo tuning scripts:

npm run quality            # tests + synthetic benchmark + labeled corpus
npm run benchmark          # synthetic positive/negative gate
npm run benchmark:corpus   # labeled corpus: true precision/recall/F1
npm run tune:500:quick     # large-scale false-positive review
npm run regression:check

Useful docs:

Config

Default config file: .fixyoursecretrc.json

Important knobs:

  • ignorePaths
  • allowedExtensions
  • entropyThreshold
  • ignoreDetectors
  • ignoreValueHints
  • suppressions

Inline suppression is supported:

// fixyoursecret-disable-next-line
const token = "fake_token_for_docs_only";

Release Flow

Release notes and process live in:

License

MIT © Sanidhya Singh

About

Catch leaked secrets and frontend exposure in CI, with SARIF for GitHub code scanning

www.npmjs.com/package/fixyoursecret

Topics

security continuous-integration secret secrets-scanning leaked-credentials

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.6.0 Latest
Jun 13, 2026

Packages

 
 
 

Contributors

Languages