Skip to content

Detects and prevents leaking secrets and API tokens into your logs.

License

Notifications You must be signed in to change notification settings

Onboardbase/securelog

Repository files navigation

Securelog Logs ReleaseLint

A better and more secure console logging experience. Detects and prevents leaking secrets and API tokens into your logs.

Need Secret scanning in other places?

Contents

Install

To use SecureLog,


yarn add securelogs # npm i securelogs

Usage

Import the SecureLog library at the top level of your project. If you use any env/secret library (e.g. dotenv) in your project, you should import those before importing SecureLog.


import SecureLog from 'securelogs';
new SecureLog(); // For JS projects, use new SecureLog.default()

console.log('random value'); // Onboardbase Signatures here: random value.

Then you can use your console.log as usual. This should include the SecureLog prefix and log your value.

The SecureLog Library also accepts an object.


export default interface IOptions {
  disableOn?: 'development' | 'production'; // You can use this to specify if you want the SecureLog library to be disabled in a specific environment
  disableConsoleOn?: 'development' | 'production'; // You can use this to disable the console entirely in a specific environment
  warnOnly?: boolean; // If this is true, secure log will only print out a warning message rather than exit the program when it detects a secret leak.
  forceNewInstance?: boolean; // SecureLog maintains a singleton, use this option to refresh the singleton and updating the config in the process.
  maskLeakedSecrets?: boolean; // Hide the value of a leaked secrets from reaching the console
  prefix:? string; // customize the prefix for the logs. defaults to "Onboardbase Signatures here:"
  globalConsoleObject:? Console // SecureLog advertently uses the standard console.log to output to the console, this option enables configuring the standard console object that is used within the library to output to the console.
}

Example:


new SecureLog({ disableConsoleOn: 'development', warnOnly: true }); // This will disable the SecureLog library on development environment.
console.log('sensitive secret here'); // This won't be executed.

If a secret is detected in a log message, SecureLog can either issue a warning or exit the process, depending on the warnOnly option. The default value for warnOnly is false, hence SecureLog will exit the process when it detects a secret leak.

The disableConsoleOn option passed to the SecureLog library will ensure that the console.log statement is not executed.

The disableOn && disableConsoleOn depend on your process.env.NODE_ENV to work perfectly. That is, it compares the environment passed from the disableOn || disableConsoleOn option with the environment in your process.env.NODE_ENV to know when to disable the SecureLog library or the console statements itself.

The SecureLog library scans the arguments passed to the console.log function to check if any of the ...args inside your console.log function is a potential secret. It does this by comparing the arguments passed to console.log with the values of your current environment: process.env. It throws an error if any potential secret is found.

Example:


console.log('secret', process.env.AWS_ACCESS_KEY_ID); // Onboardbase Signatures here: ************ is a valid secret for the key: AWS_ACCESS_KEY_ID

This will throw a warning if an actual AWS_ACCESS_KEY_ID is found in the process.env to notify the user that they are logging a potential secret.

Example: React App


<head>
  <script defer src="https://cdn.jsdelivr.net/npm/securelogs/dist/index.min.js">
    new SecureLog.default()
  </script>
</head>

Example: NodeJs


const express = require('express');
const app = express();
const SecureLog = require('securelogs');

const port = 3000;
new SecureLog();

app.get('/', (req, res) => {
  res.send('Hello World!');
});

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`);
});

Supported console methods

The SecureLog library currently only supports these console methods:

  • console.log, console.clear, console.warn, console.profileEnd, console.debug, console.info, console.error, console.table

API

createSecureConsolaReporter

To securely log with consola, use the createSecureConsolaReporter method to create a reporter.

It exposes a secure log instance with the following config: { warnOnly: true, forceNewInstance: true, maskLeakedSecrets: true, }

import { createSecureConsolaReporter } from 'securelogs';
const options: IOptions = {}; // override the default config used to initialize secure log instance
const consola = createSecureConsolaReporter(options);
process.env.NODE_ENV = 'development';
consola.log('hello there from development'); // {"date":"2024-04-12T17:46:07.099Z","args":["hello there from ***********"],"type":"log","level":2,"tag":""}

maskLeakedSecrets(data: any) : any

Mask leaked secrets in a string|array|object.

import { maskSecretLeaks } from 'securelogs';

// mask secrets existing in a predefined array of values
const valuesIn = ['asd'];
// *** 9200 *** development
console.log(maskSecretLeaks('asd 9200 asd development', valuesIn));

const secrets = { PORT: '9200', NODE_ENV: 'development' };

process.env = secrets;
// mask secrets in process.env
// asd 9200 asd ***********
console.log(maskSecretLeaks('asd 9200 asd development'));
// { key: [ 'asd 9200 asd ***********' ] }
console.log(maskSecretLeaks({ key: ['asd 9200 asd development'] }));
// [ 'asd 9200 asd ***********' ]
console.log(maskSecretLeaks(['asd 9200 asd development']));
// { nested: { env: '***********' } }
console.log(maskSecretLeaks({ nested: { env: 'development' } }));

validateSecretLeak(data: any): boolean

Validate if a string|object|array contains secrets

import { validateSecretLeak } from 'securelogs';

const secrets = { PORT: '9200', NODE_ENV: 'development' };

process.env = secrets;

console.log(validateSecretLeak('development')); // true

scanSecretsInString(rawValue: string) : string

This takes in a string and checks if the strings contains a secret, if it does, it automatically masks all the secrets in the data provided and returns the data back with secrets masked

import { scanSecretsInString } from 'securelogs';

const safeString = await scanSecretsInString(
  'This is a very long string with AKIAKSDKDBDSDSDBD AWS secrets attached',
  options: {
    maskedValue: "*"; // that is the masked value should be represented by "*", if masked value is an empty string, all found secrets wont have a value
    visibleChars: 0; // that is no detected secrets should be returned
  }
); // This is a very long string with AWS secrets attached

About

Detects and prevents leaking secrets and API tokens into your logs.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published