Secret leak prevention out of the box

[eric-burel]

Hi guys, do you think it would make sense to include a secret leak check out-of-the-box in Next.js?

I've tried Gitleaks (VulcanJS/vulcan-next#143), I am not yet 100% confident in it. I wonder if smth similar could be applied specifically to Next.js projects? Or maybe simply an official documentation on the subject?
The difficulty also stems for the dependency to either Go, or Docker to avoid the install, so it takes a few second to run just because of the container.

It seems too easy to me to accidentally use a .env.local with some sensible information, eg for temporary testing, accidentaly destroying .gitignore or accidentally rename it, and push it to the repo, or even accidentally adding variables for some reason. In my scenario, I temporarily copied a file with env variables in order to get the exact name of a single value, but forgot to remove the pasted code, which also contained a sensitive value...

I see there as been discussion about this recently but focused on a weird use case (#32874), here I am talking about actual developer error, that could be gracefully caught by the framework.

One related scenario I also dread is the accidental leak of getServerSideProps into the client bundle, which could also lead to env variables leaking but at runtime instead. I know there are unit tests and solid code to handle this, but I'd sleep better with a second layer of security.

I know this isn't specific to Next.js, but maybe your Rust superpowers could help designing a nice solution :)

[theoephraim]

Not built-in, but DMNO's Next.js plugin scans bundled code and outgoing server responses for your actual secret values.

[theoephraim]

As does https://varlock.dev - which is a newer iteration of DMNO but is simpler.