Merge pull request #74 from Onboardbase/redaction

feat: optionally mask rawValue inside scanResult

Author: iamnasirudeen

package.json

@@ -1,6 +1,6 @@
 {
   "name": "securelog-scan",
-  "version": "3.0.21",
+  "version": "3.0.22",
   "description": "A CLI tool to scan codebases for potential secrets.",
   "main": "dist/index.js",
   "author": {

src/shared/index.ts

@@ -53,6 +53,11 @@ export const maskAndRedactSensitiveData = async (
       const { scan } = detector;
       const scanResponse = await scan(false, options.rawValue as string);
       if (scanResponse && scanResponse.rawValue) {
+        /***
+         * this replaces the secrets in the string to a masked one should incase there
+         * are multiple secrets in the string, it replaces them one by one based on how
+         * many secrets was detected
+         */
         modifiedValue = modifiedValue?.replaceAll(
           scanResponse.rawValue as string,
           maskString(scanResponse.rawValue as string, {
@@ -61,6 +66,16 @@ export const maskAndRedactSensitiveData = async (
           })
         );
 
+        /**
+         * this masks the rawValue thats inside the scanResult based on the user option
+         */
+        if (options.maskSecretRawValue) {
+          scanResponse.rawValue = maskString(scanResponse.rawValue as string, {
+            maskValue: options.maskedValue,
+            visibleChars: options.visibleChars,
+          });
+        }
+
         return scanResponse;
       }
     })

src/types/index.ts

@@ -23,6 +23,7 @@ export interface ScanStringOptions {
   maskedValue?: string;
   visibleChars?: number;
   customDetectors?: DetectorConfig[];
+  maskSecretRawValue?: boolean;
 }
 
 export interface DecayOptions {
@@ -94,10 +95,10 @@ export interface DataFormat {
 }
 
 export type RedactionPattern = {
-  pattern: string;  // RE2 compatible pattern
+  pattern: string; // RE2 compatible pattern
   replacement: string;
   description?: string;
-}
+};
 
 export type RedactionConfig = {
   [key: string]: RedactionPattern;