org.sonar.plugins.secrets.configuration.npm.yaml Maven / Gradle / Ivy
provider:
metadata:
name: NPM
category: Package Repository
message: Make sure this NPM access token gets revoked, changed, and removed from the code.
rules:
- id: npm-access-token
rspecKey: S6758
metadata:
name: NPM access tokens should not be disclosed
detection:
pre:
include:
content:
- npm_
matching:
pattern: "(npm_[0-9A-Za-z]{36})\\b"
post:
statisticalFilter:
threshold: 4.26
patternNot:
- "(?i)(?:s|ex)ample|foo|bar|test|abcd|redacted"
examples:
- text: |
steps:
- run: |
npm install
- env:
NPM_TOKEN: npm_tCEMceczuiTXKQaBjGIaAezYQ63PqI972ANG
containsSecret: true
match: npm_tCEMceczuiTXKQaBjGIaAezYQ63PqI972ANG
- text: |
steps:
- run: |
npm install
- env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
containsSecret: false
- text: |
//registry.npmjs.org/:_authToken=npm_zLJhqeZs81Bhpxan9A0qH8d2wh15DoifLdLd
containsSecret: true
match: npm_zLJhqeZs81Bhpxan9A0qH8d2wh15DoifLdLd
- text: |
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
containsSecret: false
- text: |
//registry.npmjs.org/:_authToken=npm_000000000000000000000000000000000000
containsSecret: false
- text: |
//registry.npmjs.org/:_authToken=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
containsSecret: false
© 2015 - 2025 Weber Informatics LLC | Privacy Policy