dart_secrets_scanner is a command-line tool designed to scan Dart and related files in Flutter projects for hardcoded sensitive information such as API keys, tokens, passwords, and other credentials.
The tool also supports excluding common non-sensitive variables and paths to avoid false positives.
- Detects hardcoded credentials, API keys, access tokens, and passwords across multiple file types (Dart, YAML, JSON, etc.).
- Supports alphanumeric detection to identify credentials-like patterns (combination of letters, digits, and special characters).
- Recursive scanning through subdirectories, excluding test and build-related files.
Clone or add the package to your Dart or Flutter project:
- Add it to your Flutter project dependencies:
dart_secrets_scanner: 1.0.6
- Get the package dependencies:
dart pub get
To run the credentials scanner in your project directory, use:
dart run dart_secrets_scannerThe scanner will identify potential hardcoded sensitive information, flagging the variable name, value, file path, and location (line number).
Found hardcoded variable: "_proxyKeySH" with value: "hbaOakd831bDlJfy6" in /path/to/file.dart:42
Found hardcoded variable: "kUserID" with value: "user12345" in /path/to/file.dart:44
The package will scan for:
- Sensitive Variables: Alphanumeric variables with names like
password,apikey,token,secret, etc. - Hardcoded Credentials: Variables containing both letters and numbers, generally with a minimum length of 8-16 characters.
The tool excludes common non-sensitive variables such as:
- Short strings or labels that are unlikely to be credentials.
If certain variables or paths need to be excluded, you can modify the exclusion pattern directly in the code by editing the variableNameExclusionPattern.
Feel free to open an issue or contribute to this repository if you'd like to add new features or improve the existing ones.
This project is licensed under the MIT License.