fix: skip minified files in secret detection (#357)

* fix: skip minified files in secret detection

* fix: replaced severity with reason in secret detection

* fix: replaced severity with reason in secret detection

* fix: added TZ to default exclude keys

Author: Chrilleweb

.changeset/cyan-states-fall.md

@@ -0,0 +1,5 @@
+---
+'dotenv-diff': patch
+---
+
+added TZ to default exclude keys

.changeset/olive-carrots-share.md

@@ -0,0 +1,5 @@
+---
+'dotenv-diff': patch
+---
+
+replaced severity with reason for secret detection output

.changeset/sparkly-places-allow.md

@@ -0,0 +1,5 @@
+---
+'dotenv-diff': patch
+---
+
+skip minified files in secret detection

packages/cli/src/core/filterIgnoredKeys.ts

@@ -14,6 +14,7 @@ export const DEFAULT_EXCLUDE_KEYS = [
   'CI',
   'GITHUB_ACTIONS',
   'INIT_CWD',
+  'TZ',
 ];
 
 /**

packages/cli/src/core/security/secretDetectors.ts

@@ -55,6 +55,11 @@ const HARMLESS_URLS = [
 const HARMLESS_ATTRIBUTE_KEYS =
   /\b(trackingId|trackingContext|data-testid|data-test|aria-label)\b/i;
 
+// Ignore minified files
+function isLikelyMinified(line: string): boolean {
+  return line.length > 500; // Extremely long line, likely minified
+}
+
 // Checks if a line is an HTML text node or tag
 function isHtmlTextNode(line: string): boolean {
   const trimmed = line.trim();
@@ -285,6 +290,9 @@ export function detectSecretsInSource(
     // Check if line has ignore comment
     if (hasIgnoreComment(line)) continue;
 
+    // Ignore likely minified / bundled lines before any secret detection
+    if (isLikelyMinified(line)) continue;
+
     // Check for HTTPS URLs
     HTTPS_PATTERN.lastIndex = 0;
     let httpsMatch: RegExpExecArray | null;

packages/cli/src/ui/scan/printExampleWarnings.ts

@@ -23,9 +23,7 @@ export function printExampleWarnings(
 
   for (const w of warnings) {
     const severityColor = w.severity === 'high' ? error : warning;
-    console.log(
-      `${label(padLabel(w.key))}${severityColor(`${w.reason} [${w.severity}]`)}`,
-    );
+    console.log(`${label(padLabel(w.key))}${severityColor(w.reason)}`);
   }
 
   console.log(`${divider}`);

packages/cli/src/ui/scan/printSecrets.ts

@@ -61,7 +61,7 @@ export function printSecrets(
     for (const f of findings) {
       const color = getSeverityColor(f.severity);
       console.log(
-        `${label(padLabel(f.severity.toUpperCase()))}${color(`${normalizePath(f.file)}:${f.line}`)}`,
+        `${label(padLabel(f.message))}${color(`${normalizePath(f.file)}:${f.line}`)}`,
       );
     }
   }

packages/cli/test/e2e/cli.autoscan.e2e.test.ts

@@ -39,7 +39,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.ts'),
-      `const apiKey = process.env.API_KEY;`.trimStart(),
+      'const apiKey = process.env.API_KEY;'.trimStart(),
     );
 
     const res = runCli(cwd, []);
@@ -58,7 +58,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.ts'),
-      `const apiKey = process.env.API_KEY;`.trimStart(),
+      'const apiKey = process.env.API_KEY;'.trimStart(),
     );
 
     const res = runCli(cwd, ['--fix']);
@@ -116,7 +116,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.ts'),
-      `const url = "https://ingenfejl.com";`,
+      'const url = "https://ingenfejl.com";',
     );
 
     const res = runCli(cwd, []);
@@ -216,7 +216,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.js'),
-      `const key = proccess.env.API_KEY`,
+      'const key = proccess.env.API_KEY',
     );
 
     fs.writeFileSync(
@@ -235,7 +235,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.js'),
-      `console.log('hello');`,
+      'console.log(\'hello\');',
     );
 
     fs.writeFileSync(path.join(cwd, '.env.example'), 'API_KEY=EXAMPLE_KEY\n');
@@ -251,7 +251,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.js'),
-      `const key = proccess.env.API_KEY`,
+      'const key = proccess.env.API_KEY',
     );
 
     fs.writeFileSync(
@@ -262,7 +262,6 @@ describe('no-flag autoscan', () => {
     const res = runCli(cwd, ['--example', '.env.example']);
     expect(res.status).toBe(1);
     expect(res.stdout).toContain('▸ Potential secrets in .env.example');
-    expect(res.stdout).toContain('[high]');
   });
 
   it('will ingore files with excludeFiles option in config', () => {
@@ -282,7 +281,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src', 'ignore'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'ignore', 'index.ts'),
-      `const secret = "sk_test_4eC39HqLyjWDarjtT1zdp7dc";`,
+      'const secret = "sk_test_4eC39HqLyjWDarjtT1zdp7dc";',
     );
 
     const res = runCli(cwd, []);
@@ -307,7 +306,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'secret.ts'),
-      `const secret = "sk_live_123456789";`,
+      'const secret = "sk_live_123456789";',
     );
 
     const res = runCli(cwd, []);
@@ -323,7 +322,7 @@ describe('no-flag autoscan', () => {
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.ts'),
-      `const db = process.env.DATABASE_URL;`,
+      'const db = process.env.DATABASE_URL;',
     );
 
     const res = runCli(cwd, []);
@@ -339,7 +338,7 @@ describe('It will prompt to ask to create .env file is no .env files are found',
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.ts'),
-      `const apiKey = process.env.API_KEY;`,
+      'const apiKey = process.env.API_KEY;',
     );
 
     const res = runCli(cwd, ['--yes']);
@@ -354,7 +353,7 @@ describe('It will prompt to ask to create .env file is no .env files are found',
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.ts'),
-      `const apiKey = process.env.API_KEY;`,
+      'const apiKey = process.env.API_KEY;',
     );
 
     const res = runCli(cwd, ['--ci']);
@@ -372,7 +371,7 @@ describe('It will prompt to ask to create .env file is no .env files are found',
     fs.writeFileSync(path.join(cwd, '.env'), 'EXISTING_KEY=value\n');
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.ts'),
-      `const apiKey = process.env.API_KEY;`,
+      'const apiKey = process.env.API_KEY;',
     );
 
     const res = runCli(cwd, ['--yes']);
@@ -389,7 +388,7 @@ describe('It will prompt to ask to create .env file is no .env files are found',
     fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(cwd, 'src', 'index.ts'),
-      `const apiKey = process.env.API_KEY;`,
+      'const apiKey = process.env.API_KEY;',
     );
 
     const res = runCli(cwd, ['--yes', '--json']);
@@ -411,7 +410,7 @@ describe('It will prompt to ask to create .env file is no .env files are found',
     fs.mkdirSync(path.join(subdir, 'src'), { recursive: true });
     fs.writeFileSync(
       path.join(subdir, 'src', 'index.ts'),
-      `const apiKey = process.env.API_KEY;`,
+      'const apiKey = process.env.API_KEY;',
     );
 
     const res = runCli(subdir, ['--yes']);

packages/cli/test/unit/core/security/secretDetectors.test.ts

@@ -527,5 +527,43 @@ const email = "user@example.com";
         expect(findings).toHaveLength(0);
       });
     });
+    describe('minified file detection', () => {
+      it('should ignore lines over 500 chars (likely minified)', () => {
+        // Real minified line from a bundled file — contains URLs and identifiers
+        // that would otherwise trigger URL and entropy warnings
+        const source =
+          'const WORKSPACES_DOCS_URL="https://www.sanity.io/docs/workspaces",useWorkspaceAuthStates=createHookFromObservableFactory((workspaces)=>combineLatest(workspaces.map((workspace)=>workspace.auth.state.pipe(map((state)=>[workspace.name,state])))).pipe(map((entries)=>Object.fromEntries(entries)))),STATE_TITLES={notAuthenticated:"Not authenticated",authenticated:"Authenticated",error:"Error"},COOKIE_NAME="sanity_workspace",DEFAULT_TIMEOUT=3e4,RETRY_ATTEMPTS=3,BASE_PATH="/v2021-06-07",API_VERSION="2021-06-07";';
+        expect(source.length).toBeGreaterThan(500); // confirm the line is actually long
+        const findings = detectSecretsInSource('test.ts', source);
+        expect(findings).toHaveLength(0);
+      });
+
+      it('should ignore suspicious-looking strings inside minified lines', () => {
+        // Minified code with a token field — should not warn because the line is minified
+        const source =
+          'var n=function(){return Math.random().toString(36).substr(2,9)},t={apiUrl:"https://api.example.com/v1",timeout:3e4,retry:3,token:"placeholder",headers:{"Content-Type":"application/json",Accept:"application/json"},endpoints:{auth:"/auth",users:"/users",data:"/data"},utils:{encode:function(e){return btoa(e)},decode:function(e){return atob(e)},hash:function(e){return e.split("").reduce((function(e,n){return(e=(e<<5)-e+n.charCodeAt(0))&e}),0)}},extra:"paddingToEnsureThisLineExceedsFiveHundredCharactersAsRequiredByTheMinifiedLineDetectionLogicInOurSecretScanner"};';
+        expect(source.length).toBeGreaterThan(500);
+        const findings = detectSecretsInSource('test.ts', source);
+        expect(findings).toHaveLength(0);
+      });
+
+      it('should still detect secrets on normal-length lines', () => {
+        // A short, normal line with a real secret should still be caught
+        const source =
+          'const token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";';
+        expect(source.length).toBeLessThan(500);
+        const findings = detectSecretsInSource('test.ts', source);
+        expect(findings.length).toBeGreaterThan(0);
+      });
+
+      it('should not ignore a 499-char line', () => {
+        // Just under the threshold — should still be scanned normally
+        const padding = 'x'.repeat(380);
+        const source = `const token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz"; // ${padding}`;
+        expect(source.length).toBeLessThan(500);
+        const findings = detectSecretsInSource('test.ts', source);
+        expect(findings.length).toBeGreaterThan(0);
+      });
+    });
   });
 });

packages/cli/test/unit/ui/scan/printExampleWarnings.test.ts

@@ -63,6 +63,20 @@ describe('printExampleWarnings', () => {
         String(call[0]).includes('TOKEN'),
       ),
     ).toBe(true);
+
+    expect(
+      logSpy.mock.calls.some((call: [string]) =>
+        String(call[0]).includes('Looks like a real API key'),
+      ),
+    ).toBe(true);
+
+    expect(
+      logSpy.mock.calls.some(
+        (call: [string]) =>
+          String(call[0]).includes('[high]') ||
+          String(call[0]).includes('[medium]'),
+      ),
+    ).toBe(false);
   });
 
   it('uses warning indicator when strict is false and no high severity exists', () => {