Chrilleweb · Chrilleweb · Dec 13, 2025 · Dec 13, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,10 @@ This project follows [Keep a Changelog](https://keepachangelog.com/) and [Semant
 ### Fixed
 - 
 
+## [2.3.11] - 2025-12-13
+### Changed
+- Removed low severity secrets from codebase scanner results, because it made too much noise.
+
 ## [2.3.10] - 2025-12-11
 ### Added
 - More jsDocs for better code documentation.

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "dotenv-diff",
-  "version": "2.3.10",
+  "version": "2.3.11",
   "type": "module",
   "description": "Scan your codebase to find environment variables in use.",
   "bin": {

diff --git a/src/services/codeBaseScanner.ts b/src/services/codeBaseScanner.ts
@@ -34,7 +34,10 @@ export async function scanCodebase(opts: ScanOptions): Promise<ScanResult> {
       if (opts.secrets) {
         try {
           const relativePath = path.relative(opts.cwd, filePath);
-          const sec = detectSecretsInSource(relativePath, content, opts);
+          const sec = detectSecretsInSource(relativePath, content, opts).filter(
+            (s) => s.severity !== 'low',
+          );
+
           if (sec.length) allSecrets.push(...sec);
         } catch {
           // Ignore secret detection errors

diff --git a/test/e2e/cli.secrets.e2e.test.ts b/test/e2e/cli.secrets.e2e.test.ts
@@ -231,48 +231,6 @@ describe('secrets detection (default scan mode)', () => {
     expect(res.status).toBe(0);
     expect(res.stdout).not.toContain('Potential secrets detected in codebase:');
   });
-  it('should warn about using https URLs in codebase', () => {
-    const cwd = tmpDir();
-
-    fs.writeFileSync(path.join(cwd, '.env'), 'DUMMY=\n');
-    fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
-    fs.writeFileSync(
-      path.join(cwd, 'src', 'index.ts'),
-      `
-      const service = 'https://hello.com';
-      const service2 = "https://hello.com/api";
-      const service3 = \`https://hello.com/path\`;
-
-      console.log(service, service2, service3);
-    `.trimStart(),
-    );
-
-    const res = runCli(cwd, []);
-    expect(res.status).toBe(0);
-    expect(res.stdout).toContain('Potential secrets detected in codebase:');
-        expect(res.stdout).toContain('HTTPS URL detected');
-  });
-    it('should warn about using http URLs in codebase', () => {
-    const cwd = tmpDir();
-
-    fs.writeFileSync(path.join(cwd, '.env'), 'DUMMY=\n');
-    fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
-    fs.writeFileSync(
-      path.join(cwd, 'src', 'index.ts'),
-      `
-      const service = 'http://hello.com';
-      const service2 = "http://thisIsASecret.com/api";
-      const service3 = \`http://yes.com/path\`;
-
-      console.log(service, service2, service3);
-    `.trimStart(),
-    );
-
-    const res = runCli(cwd, []);
-    expect(res.status).toBe(0);
-    expect(res.stdout).toContain('Potential secrets detected in codebase:');
-    expect(res.stdout).toContain('HTTP URL detected');
-  });
   it('should not give warning on SVG content', () => {
     const cwd = tmpDir();
 
@@ -312,45 +270,4 @@ describe('secrets detection (default scan mode)', () => {
     expect(res.status).toBe(0);
     expect(res.stdout).not.toContain('Potential secrets detected in codebase:');
   });
-  it('should ignore warnings with dotenv-diff-ignore comments', () => {
-    const cwd = tmpDir();
-
-    fs.writeFileSync(path.join(cwd, '.env'), 'DUMMY=\n');
-    fs.mkdirSync(path.join(cwd, 'src'), { recursive: true });
-    fs.writeFileSync(
-      path.join(cwd, 'src', 'index.ts'),
-      `
-      // These should be flagged normally
-      const service1 = 'https://shouldwarn.com';
-      const secret1 = "sk_live_abcdefghijklmnopqrstuvwx";
-
-      // These should be ignored with comments
-      const service2 = 'https://exdfdfdfdfdfe.com'; // dotenv-diff-ignore
-      const service3 = "https://ignored.com/api" /* dotenv-diff-ignore */;
-      const secret2 = "sk_live_ignoredtoken123"; // dotenv-diff-ignore
-      const apiKey = 'AKIA1234567890IGNORE' /* dotenv-diff-ignore */;
-
-      // Also test high entropy strings
-      const ignoredEntropy = "highEntropyButIgnored987654321fedcba"; // dotenv-diff-ignore
-
-      console.log(service1, service2, service3, secret1, secret2, apiKey, ignoredEntropy);
-    `.trimStart(),
-    );
-
-    const res = runCli(cwd, []);
-    expect(res.status).toBe(1);
-    expect(res.stdout).toContain('Potential secrets detected in codebase:');
-
-    // Should warn about the non-ignored ones
-    expect(res.stdout).toContain('HIGH');
-    expect(res.stdout).toContain('shouldwarn.com');
-    expect(res.stdout).toContain('sk_live_abcdefghijklmnopqrstuvwx');
-
-    // Should NOT warn about the ignored ones
-    expect(res.stdout).not.toContain('exdfdfdfdfdfe.com');
-    expect(res.stdout).not.toContain('ignored.com');
-    expect(res.stdout).not.toContain('sk_live_ignoredtoken123');
-    expect(res.stdout).not.toContain('AKIA1234567890IGNORE');
-    expect(res.stdout).not.toContain('highEntropyButIgnored987654321fedcba');
-  });
 });