Improve npm detection (#220)

Co-authored-by: Matan Shati <>

detect_secrets/plugins/npm.py

@@ -13,5 +13,8 @@ class NpmDetector(RegexBasedDetector):
     denylist = [
         # npmrc authToken
         # ref. https://stackoverflow.com/questions/53099434/using-auth-tokens-in-npmrc
-        re.compile(r'\/\/.+\/:_authToken=\s*((npm_.+)|([A-Fa-f0-9-]{36})).*'),
+        re.compile(
+            r'(?:npm_[A-Za-z0-9-]{36})|' +
+            r'(?:(?:_authToken|NPM[ _-]?TOKEN)[\s\S]{0,5}?(?:NpmToken\.)?([a-z0-9-]{36}).*)',
+        ),
     ]

tests/plugins/npm_test.py

@@ -11,11 +11,12 @@ class TestNpmDetector:
             ('//registry.npmjs.org/:_authToken=743b294a-cd03-11ec-9d64-0242ac120002', True),
             ('//registry.npmjs.org/:_authToken=346a14f2-a672-4668-a892-956a462ab56e', True),
             ('//registry.npmjs.org/:_authToken= 743b294a-cd03-11ec-9d64-0242ac120002', True),
-            ('//registry.npmjs.org/:_authToken=npm_xxxxxxxxxxx', True),
-            ('//registry.npmjs.org:_authToken=743b294a-cd03-11ec-9d64-0242ac120002', False),
-            ('registry.npmjs.org/:_authToken=743b294a-cd03-11ec-9d64-0242ac120002', False),
-            ('///:_authToken=743b294a-cd03-11ec-9d64-0242ac120002', False),
-            ('_authToken=743b294a-cd03-11ec-9d64-0242ac120002', False),
+            ('//registry.npmjs.org/:_authToken=npm_xxxxxxxxxxx', False),
+            ('//registry.npmjs.org:_authToken=743b294a-cd03-11ec-9d64-0242ac120002', True),
+            ('registry.npmjs.org/:_authToken=743b294a-cd03-11ec-9d64-0242ac120002', True),
+            ('///:_authToken=743b294a-cd03-11ec-9d64-0242ac120002', True),
+            ('_authToken=743b294a-cd03-11ec-9d64-0242ac120002', True),
+            ('"_authToken" = "743b294a-cd03-11ec-9d64-0242ac120002"', True),
             ('foo', False),
             ('//registry.npmjs.org/:_authToken=${NPM_TOKEN}', False),
         ],