Initial commit: Token Security Analyzer v0.0.1

Author: WillIsback

.github/workflows/ci.yml

@@ -0,0 +1,66 @@
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+    branches: [main, master]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Install Rust
+        uses: dtolnay/rust-action@stable
+        with:
+          toolchain: nightly
+          components: rustfmt, clippy
+      
+      - name: Cache cargo
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+      
+      - name: Clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+      
+      - name: Run tests
+        run: cargo test --all-features
+      
+      - name: Build release
+        run: cargo build --release
+
+  # Run the analyzer on the demo project
+  demo:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Install Rust
+        uses: dtolnay/rust-action@stable
+        with:
+          toolchain: nightly
+      
+      - name: Build
+        run: cargo build --release
+      
+      - name: Run demo analysis
+        run: |
+          ./target/release/token-analyzer API_KEY examples/demo_project --thorough --verbose
+          echo "Exit code: $?"
+        continue-on-error: true  # Expected to return 2 (security issues found)

.gitignore

@@ -0,0 +1,14 @@
+/target
+Cargo.lock
+**/*.rs.bk
+*.pdb
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db

Cargo.toml

@@ -0,0 +1,43 @@
+[package]
+name = "token-analyzer"
+version = "0.0.1"
+edition = "2024"
+authors = ["WillIsback <[email protected]>"]
+description = "Fast, parallel token security analyzer - Detect exposed secrets, API keys, and sensitive tokens in your codebase"
+license = "MIT"
+repository = "https://github.com/WillIsback/token-analyzer"
+homepage = "https://github.com/WillIsback/token-analyzer"
+documentation = "https://docs.rs/token-analyzer"
+readme = "README.md"
+keywords = ["security", "secrets", "tokens", "api-key", "static-analysis"]
+categories = ["command-line-utilities", "development-tools", "authentication"]
+rust-version = "1.85"
+
+[lib]
+name = "token_analyzer"
+path = "src/lib.rs"
+
+[[bin]]
+name = "token-analyzer"
+path = "src/main.rs"
+
+[dependencies]
+anyhow = "1.0"
+ignore = "0.4"
+parking_lot = "0.12"
+rayon = "1.10"
+regex = "1.11"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+
+[dev-dependencies]
+tempfile = "3.14"
+
+[profile.release]
+lto = true
+codegen-units = 1
+strip = true
+
+[package.metadata.docs.rs]
+all-features = true
+rustdoc-args = ["--cfg", "docsrs"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 WillIsback
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,195 @@
+# Token Analyzer 🔐
+
+[![Crates.io](https://img.shields.io/crates/v/token-analyzer.svg)](https://crates.io/crates/token-analyzer)
+[![Documentation](https://docs.rs/token-analyzer/badge.svg)](https://docs.rs/token-analyzer)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Fast, parallel token security analyzer** - Detect exposed secrets, API keys, and sensitive tokens in your codebase.
+
+> Part of the [lazy-locker](https://github.com/WillIsback/lazy-locker) ecosystem for secure secret management.
+
+## ✨ Features
+
+- **🚀 Blazing fast** - Uses ripgrep's `ignore` crate for file walking (~170K files/sec)
+- **⚡ Parallel** - Leverages `rayon` for multi-threaded file scanning
+- **🧠 Smart** - Respects `.gitignore` and common ignore patterns
+- **🔐 Security-focused** - Detects dangerous patterns (print, log, echo)
+- **📁 Context-aware** - Prioritizes sensitive files (.env, configs)
+- **🎯 Entropy detection** - Identifies high-entropy strings (real secrets vs placeholders)
+- **🏷️ Known prefixes** - Detects 30+ known token formats (AWS, GitHub, Slack, OpenAI...)
+
+## 📦 Installation
+
+### From crates.io
+
+```bash
+cargo install token-analyzer
+```
+
+### From source
+
+```bash
+git clone https://github.com/WillIsback/token-analyzer
+cd token-analyzer
+cargo install --path .
+```
+
+## 🚀 Quick Start
+
+### Command Line
+
+```bash
+# Scan current directory for API_KEY usage
+token-analyzer API_KEY
+
+# Scan specific directory
+token-analyzer API_KEY ./my-project
+
+# Quick scan (1k files, 5s timeout)
+token-analyzer API_KEY ./my-project --fast
+
+# Thorough scan (includes hidden files)
+token-analyzer API_KEY ./my-project --thorough
+
+# JSON output for CI/CD integration
+token-analyzer API_KEY ./my-project --json
+```
+
+### As a Library
+
+```rust
+use token_analyzer::{TokenSecurityAnalyzer, AnalyzerConfig};
+use std::path::PathBuf;
+
+let analyzer = TokenSecurityAnalyzer::new(AnalyzerConfig::default());
+let report = analyzer.analyze("API_KEY", &PathBuf::from("./my-project"))?;
+
+println!("Found {} calls in {} files", report.total_calls, report.files.len());
+println!("Risk score: {} (critical files: {})", report.total_risk_score, report.critical_files);
+
+for file in report.exposed_files() {
+    println!("⚠️  {} - {:?}", file.path.display(), file.risk_level);
+    for exposure in &file.exposures {
+        println!("   Line {}: {}", exposure.line, exposure.exposure_type);
+    }
+}
+```
+
+## 📊 Example Output
+
+```
+╭─────────────────────────────────────────────────────────────╮
+│  🔐 Token Security Analysis Report                          │
+╰─────────────────────────────────────────────────────────────╯
+
+  Token:     API_KEY
+  Directory: ./my-project
+  Duration:  7.63ms
+  Files:     5 scanned
+
+╭─────────────────────────────────────────────────────────────╮
+│  📊 Summary                                                  │
+╰─────────────────────────────────────────────────────────────╯
+
+  Total calls:  10 in 5 files
+  Risk score:   19 (critical files: 1)
+  ⚠️  EXPOSED:   3 files with potential plaintext exposure!
+
+╭─────────────────────────────────────────────────────────────╮
+│  📁 Files                                                    │
+╰─────────────────────────────────────────────────────────────╯
+
+🔴 ⚠️  .env (1 calls, score: 4) [L5: Known prefix: OpenAI API Key]
+🟠 ⚠️  docker-compose.yml (2 calls, score: 6) [L10: High entropy]
+🟢 ⚠️  dangerous_code.js (3 calls, score: 3) [L2: Hardcoded, L5: Logged]
+🟢     safe_code.py (3 calls, score: 3)
+🟠     config.yml (1 calls, score: 3)
+```
+
+## 🎯 Risk Levels
+
+| Level | Icon | Description | Examples |
+|-------|------|-------------|----------|
+| Critical | 🔴 | Environment & secrets files | `.env`, `secrets.yml`, `*.pem`, `*.key` |
+| High | 🟠 | Infrastructure configs | `docker-compose.yml`, `terraform.tfvars`, `k8s/` |
+| Medium | 🟡 | Configuration files | `*.yml`, `*.toml`, `*.ini` |
+| Low | 🟢 | Regular source code | `*.py`, `*.js`, `*.rs` |
+
+## 🏷️ Known Token Prefixes
+
+Token Analyzer automatically detects secrets from popular services:
+
+| Service | Prefix | Description |
+|---------|--------|-------------|
+| GitHub | `ghp_`, `gho_`, `ghs_` | Personal, OAuth, Server tokens |
+| AWS | `AKIA`, `ASIA` | Access Key IDs |
+| OpenAI | `sk-` | API Keys |
+| Slack | `xoxb-`, `xoxp-` | Bot & User tokens |
+| Stripe | `sk_live_`, `sk_test_` | Secret Keys |
+| Google | `AIza` | API Keys |
+| Hugging Face | `hf_` | Access Tokens |
+| And 20+ more... | | |
+
+## 🔍 Detection Patterns
+
+### Dangerous Patterns Detected
+
+- **Hardcoded values**: `API_KEY = "sk-xxx..."`
+- **Print statements**: `print(API_KEY)`, `console.log(API_KEY)`
+- **Logging**: `logger.debug(f"Key: {API_KEY}")`
+- **Format strings**: `f"Using {API_KEY}"`, `format!("{}", API_KEY)`
+
+### Safe Patterns (Not Flagged)
+
+- Environment reads: `os.environ.get("API_KEY")`
+- Process env: `process.env.API_KEY`
+- Rust env: `std::env::var("API_KEY")`
+- Variable references: `${API_KEY}`
+
+## 🔧 CLI Options
+
+```
+USAGE:
+    token-analyzer <TOKEN_NAME> [DIRECTORY] [OPTIONS]
+
+OPTIONS:
+    -f, --fast       Quick scan (1k files, 5s timeout)
+    -t, --thorough   Complete scan (unlimited files, includes hidden)
+    -j, --json       Output results as JSON
+    -v, --verbose    Show progress and debug info
+    --hidden         Include hidden files
+    --follow-links   Follow symbolic links
+    --timeout=MS     Set timeout in milliseconds (default: 30000)
+    --max-files=N    Maximum files to scan (default: 10000, 0=unlimited)
+
+EXIT CODES:
+    0    No security issues found
+    1    Error occurred
+    2    Security issues detected
+```
+
+## 🔗 Related Projects
+
+- **[lazy-locker](https://github.com/WillIsback/lazy-locker)** - Secure TUI secret manager that uses token-analyzer for security audits. Replace your `.env` files with an encrypted vault!
+
+## 📄 License
+
+MIT License - see [LICENSE](LICENSE) for details.
+
+## 🙏 Acknowledgments
+
+- Developed with assistance from **Claude Opus 4.5** (Anthropic) - AI pair programming was used ethically to accelerate development while maintaining code quality and security best practices
+
+## 🤝 Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
+
+1. Fork the repository
+2. Create your feature branch (`git checkout -b feature/amazing-feature`)
+3. Commit your changes (`git commit -m 'Add amazing feature'`)
+4. Push to the branch (`git push origin feature/amazing-feature`)
+5. Open a Pull Request
+
+---
+
+ Made with ❤️ and 🦀 by [WillIsback](https://github.com/WillIsback)

examples/demo_project/.example.env

@@ -0,0 +1,18 @@
+# ⚠️ DEMO FILE - Contains fake secrets for testing purposes
+# Never commit real .env files to version control!
+
+# This will be detected as "Known prefix: OpenAI API Key"
+API_KEY="sk-1234567890abcdefghijklmnopqrstuvwxyz"
+
+# This would also be detected
+DATABASE_URL="postgresql://admin:supersecretpassword@localhost:5432/mydb"
+
+# Hugging Face token (known prefix)
+HF_TOKEN="hf_abcdefghijklmnopqrstuvwxyz123456"
+
+# AWS credentials (known prefix AKIA)
+AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
+AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+
+# GitHub token (known prefix ghp_)
+GITHUB_TOKEN="ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"