eslint-plugin-no-secrets

2.3.3 verified Sat Apr 25 auth: no javascript

An ESLint plugin that provides a single rule (`no-secrets`) to detect potential secrets, API keys, tokens, or other sensitive data hardcoded in source code. Version 2.3.3 (stable, maintained as of early 2025) supports Node >=18 and npm >=8. It uses a configurable regex-based pattern matching approach, with a default set of patterns for common secret formats (e.g., AWS keys, GitHub tokens, private keys). Unlike generic secret scanners, it integrates directly into ESLint workflows and supports per-file ignore lists via inline comments. The rule can be tuned by adding custom patterns or adjusting entropy thresholds. Ships TypeScript definitions.

Common errors

error ESLint couldn't find the plugin "eslint-plugin-no-secrets". ↓

cause Plugin not installed or not in node_modules.

fix

Run npm install eslint-plugin-no-secrets --save-dev.

error Definition for rule 'no-secrets/no-secrets' was not found. ↓

cause Plugin not registered in ESLint config.

fix

Add 'no-secrets' to plugins array in ESLint config.

error Cannot find module 'eslint-plugin-no-secrets' ↓

cause Missing or wrong import path in flat config.

fix

Use await import('eslint-plugin-no-secrets') or ensure the package is installed.

Warnings

gotcha Rule may flag false positives for non-secret strings that match regex patterns (e.g., '12345' as an API key). ↓

fix Tune patterns per project, add violations to ignore list via inline comment `// eslint-disable-next-line no-secrets/no-secrets` or configure `ignore` option in rule settings.

gotcha High-entropy detection can mark random-looking strings (e.g., UUIDs) as secrets. ↓

fix Adjust `entropy` option threshold or add `ignore` patterns to exclude known non-secrets.

gotcha Plugin requires ESLint >=5; older ESLint versions will not work. ↓

fix Upgrade ESLint to version 5 or later.

breaking Version 2.0.0 dropped support for Node <18 and npm <8. Breaking for projects on older runtimes. ↓

fix Upgrade Node to >=18 and npm to >=8.

deprecated The old `.eslintrc`-style configuration using `extends: ['plugin:no-secrets/recommended']` is deprecated in favor of flat config. ↓

fix Switch to flat config format with explicit plugin import and rules declaration.

Install

npm install eslint-plugin-no-secrets

yarn add eslint-plugin-no-secrets

pnpm add eslint-plugin-no-secrets

Imports

default
wrong
```
const noSecrets = require('eslint-plugin-no-secrets');
```
correct
```
import noSecrets from 'eslint-plugin-no-secrets';
```
ESM module; default export is the plugin object. Require still works for CommonJS projects using dynamic import or bundler interop, but direct CJS require may not work in Node ESM-only environments.
rules
wrong
```
const { rules } = require('eslint-plugin-no-secrets');
```
correct
```
import { rules } from 'eslint-plugin-no-secrets';
```
Named export for accessing the rule map. CJS require is available but discouraged in ESM projects.
configs
```
import { configs } from 'eslint-plugin-no-secrets';
```
Named export for preset configurations (e.g., configs.recommended). Available as named export from package root.

Quickstart

Shows how to enable the `no-secrets` plugin and rule in an ESLint flat config (ESM). Uses dynamic import because the plugin is ESM by default.

// .eslintrc.js (ESM)
export default {
  plugins: {
    'no-secrets': (await import('eslint-plugin-no-secrets')).default
  },
  rules: {
    'no-secrets/no-secrets': 'error',
  },
};