Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (memorylink) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
MemoryLink
CLI tool that prevents secret leaks before they happen.
🔒 100% local. Zero telemetry. Your secrets never leave your machine.
🎯 What is MemoryLink?
MemoryLink scans your code for secrets (API keys, passwords, tokens) and blocks them before commit.
| Protection | What It Does | When |
|---|---|---|
| 🔍 Scan | Detects 127 secret patterns (API keys, passwords, PII) | On demand |
| 🪝 Git Hooks | Warns before you commit/push secrets | Every commit |
| 🚫 CI/CD Block | Blocks PRs with secrets (19 CI platforms) | Every PR |
| 🔐 Quarantine | Encrypts detected secrets (AES-256-GCM) | Automatic |
| 📝 Audit | Tracks all detections with timestamps | Always |
How It Works:
You Code → Git Commit → MemoryLink Scans → ⚠️ Warning (or 🚫 Block)
↓
🔐 Secrets QuarantinedResult: Code confidently without worrying about leaking secrets!
🛠️ Works With
| Category | Supported |
|---|---|
| OS | macOS, Linux, Windows (WSL2) |
| Node.js | v18+ |
| Git | Any project with Git |
| CI/CD | GitHub Actions, GitLab CI, Jenkins, CircleCI, Travis, Buildkite, Azure Pipelines, and 12 more |
Use it with any editor, any language, any framework.
👀 What You'll See
When MemoryLink finds a secret:
┌─────────────────────────────────────────────────────┐
│ ⚠️ WARNING: 2 SECRETS DETECTED │
├─────────────────────────────────────────────────────┤
│ │
│ 🔴 HIGH: AWS Access Key │
│ File: src/config.ts:15 │
│ Found: AKIA************WXYZ │
│ │
│ 🟡 MEDIUM: Generic API Key │
│ File: .env.local:3 │
│ Found: api_key=****...**** │
│ │
├─────────────────────────────────────────────────────┤
│ Mode: INACTIVE (warnings only) │
│ │
│ 💡 To block commits with secrets: │
│ ml mode active │
└─────────────────────────────────────────────────────┘Modes:
INACTIVE(default): Warns but allows commits ← Good for learningACTIVE: Blocks commits with secrets ← Good for teams/CI
📦 Installation
Prerequisites
- Node.js 18+ (install)
- npm or pnpm
- Windows users: WSL2 recommended (install guide)
Install from npm
npm install -g memorylinkVerify Installation
ml --version🚀 Quick Start (30 seconds)
1. Initialize MemoryLink
cd your-project
ml initWhat happens:
- ✅ Scans your entire project for existing secrets
- ✅ Creates
.memorylink/directory - ✅ Installs Git hooks (pre-commit + pre-push)
- ✅ Updates
.gitignore - 💡 Shows any detected issues
2. That's It! You're Protected
From now on, every git commit and git push is automatically scanned.
🎯 Core Commands
| Command | What It Does |
|---|---|
ml init |
Setup project + install Git hooks |
ml scan |
Find secrets in your project |
ml gate |
Check before commit/push |
ml mode |
Switch active (block) / inactive (warn) |
ml audit |
View security history |
ml scan - Find Secrets
ml scan # Scan entire project
ml scan --path src/ # Scan specific directory
ml scan --json # JSON output for CI/automation (v2.1)ml doctor - Health Check (v2.1)
ml doctor # Basic health checks
ml doctor --full # Full diagnostics + benchmarks
ml doctor --json # JSON output for automationml mode - Switch Protection Level
ml mode # View current mode
ml mode active # Block on secrets (teams/CI)
ml mode inactive # Warn only (default)ml gate - Manual Check
ml gate --rule block-quarantined # Check project
ml gate --rule block-quarantined --diff # Check staged files only
ml gate --rule block-quarantined --history # Check git history🔒 6-Layer Protection
Layer 1: On-demand scan → ml scan catches secrets immediately
Layer 2: Pre-commit hook → Blocks before commit (staged files)
Layer 3: Pre-push hook → Blocks before push (full scan)
Layer 4: CI/CD gate → Auto-enforces when running in CI
Layer 5: Quarantine → AES-256-GCM encrypted isolation
Layer 6: Audit trail → Tracks everything with timestamps💡 Bonus:
ml gate --historyscans Git history for old leaks!
📊 Active vs Inactive Mode
| Mode | Behavior | Exit Code | Use Case |
|---|---|---|---|
| INACTIVE (default) | ⚠️ Warns but allows | 0 | Local development |
| ACTIVE | ❌ Blocks commit/push | 1 | Production, CI/CD |
Mode Priority
MemoryLink checks these in order (highest to lowest):
1. CLI Flag --mode active / --enforce / --monitor
2. ENV Variable ML_MODE=active / ML_MODE=inactive
3. CI Detection GitHub Actions, GitLab CI, etc. (auto ACTIVE!)
4. Config File .memorylink/config.json
5. Default inactiveOne-Time Override
ML_MODE=active git push # Force blocking for this push
ML_MODE=inactive git push # Allow this push (temporary)
git push --no-verify # Emergency bypass (Git built-in)🎨 127 Secret Patterns
| Category | Examples |
|---|---|
| Cloud | AWS, Azure, GCP, DigitalOcean, Heroku |
| AI/ML | OpenAI, Claude/Anthropic, HuggingFace, Groq, Perplexity, Replicate |
| Payment | Stripe, PayPal, Square, Razorpay, PhonePe, Cashfree |
| Auth | GitHub, GitLab, Slack, Discord, JWT, OAuth, Clerk |
| Database | Supabase, PlanetScale, Turso, Neon, Upstash |
| India | Aadhaar, PAN, GSTIN, UPI, IFSC, Paytm, PhonePe, Instamojo |
| Personal | SSN, Credit Card, Phone, Email |
| Browser | localStorage, sessionStorage, cookies |
🌐 19 CI Platforms Auto-Detected
✅ GitHub Actions ✅ GitLab CI ✅ Jenkins
✅ CircleCI ✅ Travis CI ✅ Buildkite
✅ Azure Pipelines ✅ TeamCity ✅ Bitbucket
✅ Drone CI ✅ AppVeyor ✅ Semaphore
✅ Buddy ✅ Vercel ✅ Netlify
✅ Bitrise ✅ Codeship ✅ Generic CICI always enforces ACTIVE mode automatically!
🛠️ CI/CD Setup
GitHub Actions
Add to .github/workflows/memorylink.yml:
name: MemoryLink Gate
on: [pull_request, push]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm install -g memorylink
- run: ml gate --rule block-quarantinedQuick Setup Command
ml ci --provider github # Creates the workflow file for you🚫 Handling False Positives
Option 1: Inline Comment
const API_ENDPOINT = "https://api.example.com"; // ml:ignoreOption 2: Mark as False Positive
ml gate --mark-false <finding-id>Option 3: Config File
Add to .memorylink/config.json:
{
"ignores": {
"values": ["test_key_not_real"],
"patterns": ["example-api-key"],
"files": ["tests/**", "docs/**"]
}
}📁 Directory Structure
.memorylink/
├── config.json # User preferences
├── records/ # Safe content storage
├── quarantined/ # Encrypted secrets
├── audit/ # Security audit logs
└── falsePositives.json # Ignored findings🔐 Security Features
| Feature | Implementation |
|---|---|
| Key Location | ~/.memorylink/keys/ (NOT in project!) |
| Encryption | AES-256-GCM (industry standard) |
| Secret Masking | AKIA****MPLE in all output |
| Zero Telemetry | 100% local, no network calls |
| Package Safety | .gitattributes + files field |
🔧 Troubleshooting
| Problem | Quick Fix |
|---|---|
ml: command not found |
npx memorylink or fix PATH |
| Hooks not running | ml hooks --install |
| False positive | Add // ml:ignore comment |
| Mode not changing | Check ml mode output |
| CI not blocking | Verify CI=true is set |
📚 Documentation
- Product Guide - Complete guide with testing & results
- Quick Reference - Cheat sheet
- FAQ - Common questions
- Troubleshooting - Problem solutions
- Patterns - All 127 patterns
- Comparisons - vs other tools
- Threat Model - Security boundaries & design
- Remediation Guide - How to rotate leaked secrets
🤝 Contributing
See CONTRIBUTING.md for guidelines.
📄 License
MIT License - see LICENSE
🙏 Support
- Issues: GitHub Issues
- Discussions: GitHub Discussions
❓ FAQ
Q: Why no MCP integration yet?
MCP (Model Context Protocol) support is planned for v3.0. We're ensuring the core secret detection is bulletproof first.
Q: Does MemoryLink follow security standards?
Yes! MemoryLink follows security best practices aligned with OWASP guidelines. Full OWASP ASI06 compliance documentation is planned for v3.0.
Q: Is it safe to use in enterprise environments?
Absolutely. 100% local operation, zero telemetry, AES-256-GCM encryption, and project-isolated keys make it enterprise-ready.
Q: What makes MemoryLink different from gitleaks?
Better UX (color-coded output), India-specific patterns (Aadhaar, PAN, UPI), zero-config setup, and smart mode switching.
MemoryLink - Protect your secrets from AI leaks 🔒