Update plugin_packages.json

[darklotuskdb]

I am submitting a new Plugin Package

Repository URL

https://github.com/darklotuskdb/secret-detector

Link to my plugin package:

Release Checklist

• I have tested the plugin on
  • Windows
  • macOS
  • Linux
• My GitHub release contains all required files
  • plugin_package.zip
  • plugin_package.zip.sig
• GitHub Tag name matches the exact version number specified in my manifest.json
• The id in my manifest.json matches the id in the plugin_packages.json file.
• My README.md describes the plugin package purpose and provides clear usage instructions.
• I have read the developer policy at https://developer.caido.io/policy.html, and have assessed my plugin package adherence to this policy.
• I have added a license in the LICENSE file and it matches the license field in the plugin_packages.json file.
• My project respects and is compatible with the original license of any third-party code that I'm using.
  I have given proper attribution to these other projects in my README.md and/or LICENSE.

[Sytten]

Hi! Thanks for the contribution :)

A few notes:

• I am surprised that https://github.com/darklotuskdb/secret-detector/blob/main/packages/backend/src/index.ts#L15 works. Usually you have to do const body = response.getBody()?.toText();. I guess it might be doing a toString() under you.
• We have a leakz workflow that does essentially the same thing (https://github.com/caido-community/workflows/blob/main/packages/workflows/src/leakz/src/index.ts), what I would like to see from a plugin would be an interface where the user can choose which rules/set of rules they want to scan for.

[darklotuskdb]

Hi Sytten!
Thanks again for the feedback and the helpful pointers.

I've now made the recommended improvements to the plugin:

Frontend UI added – Users can now select specific rules or sets of rules they want to scan for, addressing the flexibility you mentioned.

Backend improved – I’ve also updated the response body handling to use response.getBody()?.toText() for better consistency and reliability.

You can check out the updated plugin here:
🔗 GitHub: https://github.com/darklotuskdb/secret-detector
📦 Release: https://github.com/darklotuskdb/secret-detector/releases/tag/1.0.0

Looking forward to any further suggestions or improvements you’d like to see!

Best regards,
Kamaldeep (DarkLotusKDB)

[Sytten]

@darklotuskdb

• Can you make sure not to commit dist and node_modules to github, this is not a good practice.
• Unsure what _backup_original is
• Instead of using github links like https://raw.githubusercontent.com/darklotuskdb/secret-detector/main/keywords/high.txt, you can package the files directly in the plugin (https://developer.caido.io/guides/components/files.html)
• Calling buildFlexibleRegex and rebuilding a regex on every request will be extremely CPU intensive, ideally we should build them once and store them in memory if they dont change
• Also in the spirit of user experience I would consider doing one finding for all secrets found so you can check if the dedupe key for that host/path combination has already been processed already and not re-process it. This could be an option to toggle (lower CPU but one finding per request, higher CPU but one finding per secret value).

[darklotuskdb]

Hi @Sytten ,
Thanks again for the feedback. I made the changes as you suggested.

Update package URL: https://github.com/darklotuskdb/secret-detector/releases/tag/1.0.1

Please check and let me know if anything else is needed.
Thanks!

[darklotuskdb]

Hi @Sytten,

Any update on this?

Thank you

[Sytten]

Hey! Sorry I was on vacation, just got back and will look at it this week @darklotuskdb

[Sytten]

Hey sorry for the delay. @darklotuskdb

• Can you make sure not to commit dist and node_modules to github, this is not a good practice. You need to add a gitignore and remove the files committed
• Ideally this should follow the Caido theme, unsure why the background is all white. I can ask the team for help on that.
  Otherwise this looks like a good improvement

[darklotuskdb]

Hi @Sytten ,

Thank you for the feedback, and apologies for missing that earlier.

I’ve now updated the .gitignore file to ensure all dist and node_modules folders (including nested ones) are properly ignored, and I’ve removed the previously committed directories from the repository.

Please feel free to make any changes or improvements before publishing the plugin, I’d truly appreciate it, as it will help me learn and improve. If there’s any opportunity for future collaboration to make this plugin even better, I’d be more than happy to contribute.

Thanks again!

[Rhynorater]

I just took this for a drive and have a couple of pieces of feedback:

• bg-white needs to be removed
• There needs to be some way to remove the default settings for the regex ("credentials:" is way too noise-y because of credentials:'include' in fetch.)

[Sytten]

@darklotuskdb Let me know if you still want to work on the plugin, otherwise I can ask some people on the team to improve it.

[darklotuskdb]

@Sytten Yes, that would be appreciated. Please feel free to ask the team, thank you!