eslint-plugin-no-secrets

raw JSON →
2.3.3 verified Sat Apr 25 auth: no javascript

An ESLint plugin that provides a single rule (`no-secrets`) to detect potential secrets, API keys, tokens, or other sensitive data hardcoded in source code. Version 2.3.3 (stable, maintained as of early 2025) supports Node >=18 and npm >=8. It uses a configurable regex-based pattern matching approach, with a default set of patterns for common secret formats (e.g., AWS keys, GitHub tokens, private keys). Unlike generic secret scanners, it integrates directly into ESLint workflows and supports per-file ignore lists via inline comments. The rule can be tuned by adding custom patterns or adjusting entropy thresholds. Ships TypeScript definitions.

error ESLint couldn't find the plugin "eslint-plugin-no-secrets".
cause Plugin not installed or not in node_modules.
fix
Run npm install eslint-plugin-no-secrets --save-dev.
error Definition for rule 'no-secrets/no-secrets' was not found.
cause Plugin not registered in ESLint config.
fix
Add 'no-secrets' to plugins array in ESLint config.
error Cannot find module 'eslint-plugin-no-secrets'
cause Missing or wrong import path in flat config.
fix
Use await import('eslint-plugin-no-secrets') or ensure the package is installed.
gotcha Rule may flag false positives for non-secret strings that match regex patterns (e.g., '12345' as an API key).
fix Tune patterns per project, add violations to ignore list via inline comment `// eslint-disable-next-line no-secrets/no-secrets` or configure `ignore` option in rule settings.
gotcha High-entropy detection can mark random-looking strings (e.g., UUIDs) as secrets.
fix Adjust `entropy` option threshold or add `ignore` patterns to exclude known non-secrets.
gotcha Plugin requires ESLint >=5; older ESLint versions will not work.
fix Upgrade ESLint to version 5 or later.
breaking Version 2.0.0 dropped support for Node <18 and npm <8. Breaking for projects on older runtimes.
fix Upgrade Node to >=18 and npm to >=8.
deprecated The old `.eslintrc`-style configuration using `extends: ['plugin:no-secrets/recommended']` is deprecated in favor of flat config.
fix Switch to flat config format with explicit plugin import and rules declaration.
npm install eslint-plugin-no-secrets
yarn add eslint-plugin-no-secrets
pnpm add eslint-plugin-no-secrets

Shows how to enable the `no-secrets` plugin and rule in an ESLint flat config (ESM). Uses dynamic import because the plugin is ESM by default.

// .eslintrc.js (ESM)
export default {
  plugins: {
    'no-secrets': (await import('eslint-plugin-no-secrets')).default
  },
  rules: {
    'no-secrets/no-secrets': 'error',
  },
};