PasteShield's ~200 pattern library is only accessible inside VS Code. A secret that slips past paste-time — committed via another editor, pasted in a terminal, or introduced by an AI code generator — has no coverage. The same patterns that power the extension could be wrapped in a Node CLI, making PasteShield a full dev-to-deploy security story.
Problem
The current scope of PasteShield is paste-time prevention only. This is valuable, but it leaves a gap:
- Developers using Cursor, Neovim, or JetBrains have no coverage at all
- AI-generated code introduced via agent tools (Copilot Agent, Claude Code) bypasses paste entirely
- Enterprise teams can't enforce PasteShield's patterns in CI/CD without a separate tool like Gitleaks
The README already positions PasteShield and Gitleaks as complementary. A CLI would let PasteShield own the "during development in any editor" layer, not just VS Code paste events.
Proposed solution
Scope:
-
Extract the pattern engine into a standalone pasteshield-core npm package:
npm install -D pasteshield-core
-
Build a thin CLI wrapper:
npx pasteshield scan src/**/*.ts --severity medium --format json
npx pasteshield scan --diff HEAD~1 # scan only changed lines
npx pasteshield scan --policy .pasteshield-policy.json
-
Publish a pasteshield-action GitHub Action:
- name: PasteShield scan
uses: sidkr222003/pasteshield-action@v1
with:
severity: high
policy: .pasteshield-policy.json
fail-on: critical
-
Update the README to position PasteShield as paste-time + CI/CD:
"PasteShield catches secrets at paste time in VS Code and in every PR via the GitHub Action — same patterns, from paste to production."
Acceptance criteria
PasteShield's ~200 pattern library is only accessible inside VS Code. A secret that slips past paste-time — committed via another editor, pasted in a terminal, or introduced by an AI code generator — has no coverage. The same patterns that power the extension could be wrapped in a Node CLI, making PasteShield a full dev-to-deploy security story.
Problem
The current scope of PasteShield is paste-time prevention only. This is valuable, but it leaves a gap:
The README already positions PasteShield and Gitleaks as complementary. A CLI would let PasteShield own the "during development in any editor" layer, not just VS Code paste events.
Proposed solution
Scope:
Extract the pattern engine into a standalone
pasteshield-corenpm package:Build a thin CLI wrapper:
Publish a
pasteshield-actionGitHub Action:Update the README to position PasteShield as paste-time + CI/CD:
Acceptance criteria
pasteshield-corepackage published to npm with the full pattern enginescan <glob>,--severity,--format json|text,--policyflags--diffmode scans only lines changed since a given git ref1on detections above threshold (for CI fail-fast)