ignore html secrets

Author: Chrilleweb

CHANGELOG.md

@@ -16,6 +16,9 @@ This project follows [Keep a Changelog](https://keepachangelog.com/) and [Semant
 ### Fixed
 - Fixed issue where .env.example would be ignored by git when using --fix flag.
 
+### Added
+- HTML comments to ignore secret detection in HTML lines (e.g. `<!-- dotenv-diff-ignore -->`).
+
 ## [2.2.8] - 2025-09-30
 ### Added
 - Fix .env is not ignored by git when using --fix flag.

src/commands/scanUsage.ts

@@ -10,6 +10,7 @@ import { createJsonOutput } from '../core/scanJsonOutput.js';
 import { printMissingExample } from '../ui/scan/printMissingExample.js';
 import { processComparisonFile } from '../core/processComparisonFile.js';
 import { printComparisonError } from '../ui/scan/printComparisonError.js';
+import { hasIgnoreComment } from '../core/secretDetectors.js';
 
 /**
  * Filters out commented usages from the list.
@@ -18,15 +19,45 @@ import { printComparisonError } from '../ui/scan/printComparisonError.js';
  *   # process.env.API_URL
  *   /* process.env.API_URL
  *   * process.env.API_URL
+ *   <!-- process.env.API_URL -->
  * @param usages - List of environment variable usages
  * @returns Filtered list of environment variable usages
  */
 function skipCommentedUsages(usages: EnvUsage[]): EnvUsage[] {
-  return usages.filter(
-    (u) => u.context && !/^\s*(\/\/|#|\/\*|\*)/.test(u.context.trim()),
-  );
+  let insideHtmlComment = false;
+  let insideIgnoreBlock = false;
+
+  return usages.filter((u) => {
+    if (!u.context) return true;
+    const line = u.context.trim();
+
+    if (line.includes('<!--')) insideHtmlComment = true;
+    if (line.includes('-->')) {
+      insideHtmlComment = false;
+      return false;
+    }
+
+    if (/<!--\s*dotenv[\s-]*diff[\s-]*ignore[\s-]*start\s*-->/i.test(line)) {
+      insideIgnoreBlock = true;
+      return false;
+    }
+
+    if (/<!--\s*dotenv[\s-]*diff[\s-]*ignore[\s-]*end\s*-->/i.test(line)) {
+      insideIgnoreBlock = false;
+      return false;
+    }
+
+    if (insideIgnoreBlock) return false;
+
+    return (
+      !insideHtmlComment &&
+      !/^\s*(\/\/|#|\/\*|\*|<!--|-->)/.test(line) &&
+      !hasIgnoreComment(line)
+    );
+  });
 }
 
+
 /**
  * Recalculates statistics for a scan result after filtering usages.
  * @param scanResult The current scan result

src/core/secretDetectors.ts

@@ -43,14 +43,19 @@ const HARMLESS_URLS = [
 
 /**
  * Checks if a line has an ignore comment
- * fx: // dotenv-diff-ignore or /* dotenv-diff-ignore
+ * fx: // dotenv-diff-ignore or /* dotenv-diff-ignore *\/ or <!-- dotenv-diff-ignore -->
  * @param line - The line to check
  * @returns True if the line should be ignored
  */
-function hasIgnoreComment(line: string): boolean {
+export function hasIgnoreComment(line: string): boolean {
+  const normalized = line.trim();
+
+  // Allow mixed casing, extra spaces, and optional dashes
   return (
-    /\/\/\s*dotenv-diff-ignore/.test(line) ||
-    /\/\*\s*dotenv-diff-ignore\s*\*\//.test(line)
+    /\/\/.*dotenv[\s-]*diff[\s-]*ignore/i.test(normalized) ||
+    /\/\*.*dotenv[\s-]*diff[\s-]*ignore.*\*\//i.test(normalized) ||
+    /<!--.*dotenv[\s-]*diff[\s-]*ignore.*-->/i.test(normalized) ||
+    /\bdotenv[\s-]*diff[\s-]*ignore\b/i.test(normalized)
   );
 }
 
@@ -139,10 +144,25 @@ export function detectSecretsInSource(
   const findings: SecretFinding[] = [];
   const lines = source.split(/\r?\n/);
 
+  let insideIgnoreBlock = false;
+
   for (let i = 0; i < lines.length; i++) {
     const lineNo = i + 1;
     const line = lines[i] || '';
 
+    if (/<!--\s*dotenv[\s-]*diff[\s-]*ignore[\s-]*start\s*-->/i.test(line)) {
+      insideIgnoreBlock = true;
+      continue;
+    }
+
+    if (/<!--\s*dotenv[\s-]*diff[\s-]*ignore[\s-]*end\s*-->/i.test(line)) {
+      insideIgnoreBlock = false;
+      continue;
+    }
+
+    // Skip if inside ignore block
+    if (insideIgnoreBlock) continue;
+
     // Skip comments
     if (/^\s*\/\//.test(line)) continue;
 

test/e2e/cli.autoscan.e2e.test.ts

@@ -103,4 +103,33 @@ describe('no-flag autoscan', () => {
     const gitignore = fs.readFileSync(path.join(cwd, '.gitignore'), 'utf-8');
     expect(gitignore).toContain('.env');
   });
+it('will ignore <!-- dotenv-diff-ignore --> and block comments in .env files', () => {
+  const cwd = tmpDir();
+
+  fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
+
+  // Skriv +page.svelte med både inline og blok-ignore
+  fs.writeFileSync(
+    path.join(cwd, 'src', '+page.svelte'),
+    `
+      // Inline ignore test
+      const apiKey = process.env.API_KEY; <!-- dotEnv- difF-   igNore -->
+      const secret = process.env.SECRET; // should be detected
+
+      // Block ignore test
+      <!-- dotenv-diff-ignore-start -->
+      <p>Environment: "https://thisissecrethttpslasdasdasdasdasd.com"</p>
+      <!-- dotenv-diff-ignore-end -->
+
+      <p>Environment: "https://thisissecrethttpslasdasdasdasdasd.com"</p> <!-- dotenv-diff-ignore -->
+
+      const visible = process.env.VISIBLE; // should be detected
+    `.trim(),
+  );
+
+  const res = runCli(cwd, []);
+
+  expect(res.status).toBe(0);
+  expect(res.stdout).not.toContain('Potential secrets detected in codebase:');
+});
 });