-
-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(linter): implement noSecrets #3823
Conversation
crates/biome_js_analyze/tests/specs/nursery/noSecrets/invalid.js
Outdated
Show resolved
Hide resolved
crates/biome_js_analyze/tests/specs/nursery/noSecrets/invalid.js.snap
Outdated
Show resolved
Hide resolved
CodSpeed Performance ReportMerging #3823 will not alter performanceComparing Summary
|
…le time, add multithreading loop
I need some help to resolve the merge conflicts. |
The files with conflicts are all generated, so IIRC you should be able rebase on |
crates/biome_js_analyze/tests/specs/nursery/noSecrets/invalid.js.snap
Outdated
Show resolved
Hide resolved
The impact on the benchmark seems to be significant. I think the use of so many regexes is one of the causes. We should try to find a way to reduce this overhead. |
Great idea! Although I feel like the benchmarks haven't been updated in a while (last run was ~3 hours ago, the code's been refactored majorly since then) |
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
I agree... Eventually (in further passes) this would be implemented on comments as well... So we definitely need better, smarter heuristics :D |
would love to have this sooner |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Would you mind adding a changelog entry for this? (and make sure to fix any ci failures)
Fixed, formatted, linted and changelog updated. Ready for merge. 🦾 |
Getting performance failure. The difference seems minor, however, it's on React benchmark which seems like a popular one. What should be the plan-of-action here? @dyc3 |
The rule (as any other new rules) will be in the nursery group.
I am unsure if it could make a big difference. We could still try it in the future. Some other ideas:
|
That's a flaky test that isn't part of the analyzer, it's the parser. The last run didn't show any regression in the analyzer |
Another idea to add on:
I think we can take a lot of inspiration from gitleaks. Could even parse just this file: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml |
Seems like we can speed-up regex by enabling nightly build with SIMD. However, I am not aware of how that'll impact other modules. With faster regex, we can eventually support many more useful regexes and make biome a possible alternative to gitleaks. |
Summary
Possibly closes #3822 . I need to use this rule in some projects, but the lack of it in biome prevents adoption. This rule is great for security and sanitation.
The rule searches for potential secrets/keys in code.
Inspired by no-secrets/no-secrets in eslint.
I've dropped TODOs in the code for further improvement.
Test Plan
I've tested locally using:
cargo t quick_test
and
just test-lintrule noSecrets