npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@onboardbase/secure-log

v3.0.0

Published

A better and secure console logging experience.

Downloads

18

Readme

Secure log ReleaseLint

A better and more secure console logging experience. Detects and prevents leaking secrets and API tokens into your logs.

Check out other language support Python

Contents

Install

To use log,


yarn add @onboardbase/secure-log # npm i @onboardbase/secure-log

Usage

Import the SecureLog library at the top level of your project. If you use any env/secret library (e.g. dotenv) in your project, you should import those before importing SecureLog.


import SecureLog from '@onboardbase/secure-log';
new SecureLog(); // For JS projects, use new SecureLog.default()

console.log('random value'); // Onboardbase Signatures here: random value.

Then you can use your console.log as usual. This should include the SecureLog prefix and log your value.

The SecureLog Library also accepts an object.


export default interface IOptions {
  disableOn?: 'development' | 'production'; // You can use this to specify if you want the SecureLog library to be disabled in a specific environment
  disableConsoleOn?: 'development' | 'production'; // You can use this to disable the console entirely in a specific environment
  warnOnly?: boolean; // If this is true, secure log will only print out a warning message rather than exit the program when it detects a secret leak.
  forceNewInstance?: boolean; // SecureLog maintains a singleton, use this option to refresh the singleton and updating the config in the process.
  maskLeakedSecrets?: boolean; // Hide the value of a leaked secrets from reaching the console
  prefix:? string; // customize the prefix for the logs. defaults to "Onboardbase Signatures here:"
  globalConsoleObject:? Console // SecureLog advertently uses the standard console.log to output to the console, this option enables configuring the standard console object that is used within the library to output to the console.
}

Example:


new SecureLog({ disableConsoleOn: 'development', warnOnly: true }); // This will disable the SecureLog library on development environment.
console.log('sensitive secret here'); // This won't be executed.

If a secret is detected in a log message, SecureLog can either issue a warning or exit the process, depending on the warnOnly option. The default value for warnOnly is false, hence SecureLog will exit the process when it detects a secret leak.

The disableConsoleOn option passed to the SecureLog library will ensure that the console.log statement is not executed.

The disableOn && disableConsoleOn depend on your process.env.NODE_ENV to work perfectly. That is, it compares the environment passed from the disableOn || disableConsoleOn option with the environment in your process.env.NODE_ENV to know when to disable the SecureLog library or the console statements itself.

The SecureLog library scans the arguments passed to the console.log function to check if any of the ...args inside your console.log function is a potential secret. It does this by comparing the arguments passed to console.log with the values of your current environment: process.env. It throws an error if any potential secret is found.

Example:


console.log('secret', process.env.AWS_ACCESS_KEY_ID); // Onboardbase Signatures here: ************ is a valid secret for the key: AWS_ACCESS_KEY_ID

This will throw a warning if an actual AWS_ACCESS_KEY_ID is found in the process.env to notify the user that they are logging a potential secret.

Example: React App


<head>
  <script defer src="https://cdn.jsdelivr.net/npm/@onboardbase/secure-log/dist/index.min.js">
    new SecureLog.default()
  </script>
</head>

Example: NodeJs


const express = require('express')
const app = express()
const SecureLog = require('@onboardbase/secure-log')

const port = 3000
new SecureLog()

app.get('/', (req, res) => {
  res.send('Hello World!')
})

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`)
})

Supported console methods

The SecureLog library currently only supports these console methods:

  • console.log, console.clear, console.warn, console.profileEnd, console.debug, console.info, console.error, console.table

API

createSecureConsolaReporter

To securely log with consola, use the createSecureConsolaReporter method to create a reporter.

It exposes a secure log instance with the following config: { warnOnly: true, forceNewInstance: true, maskLeakedSecrets: true, }

import { createSecureConsolaReporter } from "@onboardbase/secure-log"
const options: IOptions = {} // override the default config used to initialize secure log instance
const consola = createSecureConsolaReporter(options)
process.env.NODE_ENV = "development"
consola.log("hello there from development") // {"date":"2024-04-12T17:46:07.099Z","args":["hello there from ***********"],"type":"log","level":2,"tag":""}

maskLeakedSecrets(data: any) : any

Mask leaked secrets in a string|array|object.

import { maskSecretLeaks } from "@onboardbase/secure-log"

// mask secrets existing in a predefined array of values
const valuesIn = ['asd']
// *** 9200 *** development
console.log(maskSecretLeaks('asd 9200 asd development', valuesIn));

const secrets = { PORT: '9200', NODE_ENV: 'development' };

process.env = secrets;
// mask secrets in process.env
// asd 9200 asd ***********
console.log(maskSecretLeaks('asd 9200 asd development'));
// { key: [ 'asd 9200 asd ***********' ] }
console.log(maskSecretLeaks({ key: ['asd 9200 asd development'] }));
// [ 'asd 9200 asd ***********' ]
console.log(maskSecretLeaks(['asd 9200 asd development']));
// { nested: { env: '***********' } }
console.log(maskSecretLeaks({ nested: { env: 'development' } }));

validateSecretLeak(data: any): boolean

Validate if a string|object|array contains secrets

import { validateSecretLeak } from "@onboardbase/secure-log"

const secrets = { PORT: '9200', NODE_ENV: 'development' };

process.env = secrets;

console.log(validateSecretLeak("development")) // true

Roadmap

Features

  • [ ] AI will scan values passed to console.log and report potentially sensitive logs.