The project name stoken means substitute-token. It's a code desensitization tool, which can substitute tokens (and other sensitive information) in your code.
If there's python environment on your device, you can run this command to install stoken :
pip install stoken
(Perhaps for other language developers) You can browse the release page, download the stoken.exe, add its path to your system environment variables.
- Here is demonstration code file, with the suffix
.py:
# demo.py
token = "qwertyuiop123456789"
password = "poiuytrewq987654321"
print(f"{token=}, {password=}")- In the root directory of your project, create
stoken.yamland edit it with syntax of yaml.suffix: the suffixes of the files you want to detect. Don't forget there's a.before each suffix.token: the sensitive data you want to substitute.
suffix:
- .py
- .js
token:
SECRET_TOKEN: qwertyuiop123456789
MY_PASSWORD: poiuytrewq987654321- Run
stoken --mode hide, or run directlystokenwith the default parameter--mode auto, the tokens will be substituted.
# demo.py
token = "#{{SECRET_TOKEN}}#"
password = "#{{MY_PASSWORD}}#"
print(f"{token=}, {password=}")- Run
stoken --mode restore, or run directlystokenwith the default parameter--mode auto, the tokens will be restored.
stoken --help
| options | description |
|---|---|
--mode |
The mode of operation. Default: auto |
-e | --encoding |
The encoding used to decode the file. Default: utf-8 |
-p | --variable-prefix |
The prefix of variable placeholder. Default: #{{ |
-s | --variable-suffix |
The suffix of variable placeholder. Default: }}# |
--debug |
Activate this option to enter debug mode, as result, stoken won't modify files, only detect tokens. |
--no-git |
By default, the program will detect if there is a git directory, and if so, it will ignore the files in .gitignore. Activate this option to detect all the files. |
-v |
--version |
--help |
Show this message and exit. |