Skills
skills/armanzeroeight/fastagent-plugins/secrets-detector

secrets-detector

SKILL.md

Secrets Detector

Quick Start

Scan for secrets using gitleaks:

# Install
brew install gitleaks  # macOS
# or
pip install detect-secrets

# Scan current directory
gitleaks detect --source .

Instructions

Step 1: Choose Detection Tool

Gitleaks (recommended):

gitleaks detect --source . --verbose

detect-secrets:

detect-secrets scan . --all-files

Manual grep patterns:

grep -rn "AKIA[0-9A-Z]{16}" .  # AWS Access Key
grep -rn "ghp_[a-zA-Z0-9]{36}" .  # GitHub Token

Step 2: Scan for Common Patterns

Secret Type Pattern Example
AWS Access Key AKIA[0-9A-Z]{16} AKIAIOSFODNN7EXAMPLE
AWS Secret Key [A-Za-z0-9/+=]{40} wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GitHub Token ghp_[a-zA-Z0-9]{36} ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GitHub OAuth gho_[a-zA-Z0-9]{36} gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Slack Token xox[baprs]-[0-9a-zA-Z-]+ xoxb-123456789-abcdefghij
Private Key -----BEGIN.*PRIVATE KEY----- RSA/EC private keys
Generic API Key api[_-]?key.*=.*['\"][a-zA-Z0-9]{20,} api_key = "abc123..."
Generic Password password.*=.*['\"][^'\"]+['\"] password = "secret123"

Step 3: Check Git History

Secrets may exist in git history even if removed:

# Scan entire git history
gitleaks detect --source . --log-opts="--all"

# Check specific commits
git log -p --all -S 'password' --source

Step 4: Categorize Findings

Critical - Immediate rotation required:

  • Cloud provider credentials (AWS, GCP, Azure)
  • Database connection strings
  • Private keys

High - Rotate soon:

  • API keys for external services
  • OAuth tokens
  • Webhook secrets

Medium - Review and rotate:

  • Internal service tokens
  • Test credentials that might be reused

Step 5: Report Findings

## Secrets Detection Report

### Critical (1)
1. **AWS Secret Key** - config/aws.js:12
   - Type: AWS credentials
   - Action: Rotate immediately in AWS console

### High (2)
1. **GitHub Token** - scripts/deploy.sh:45
   - Type: Personal access token
   - Action: Revoke and regenerate

2. **Slack Webhook** - src/notifications.js:23
   - Type: Incoming webhook URL
   - Action: Regenerate webhook

Prevention

Pre-commit Hook

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

.gitignore Patterns

# Environment files
.env
.env.local
.env.*.local

# Key files
*.pem
*.key
*_rsa
*_ecdsa
*_ed25519

# Config with secrets
config/secrets.yml
credentials.json

Environment Variables

Move secrets to environment variables:

// BAD
const apiKey = "sk-abc123...";

// GOOD
const apiKey = process.env.API_KEY;

Common False Positives

  • Example/placeholder values in documentation
  • Test fixtures with fake credentials
  • Base64-encoded non-secret data
  • Hash values (SHA, MD5)

Review each finding to confirm it's a real secret before taking action.

Weekly Installs
5
Repository
armanzeroeight/…-plugins
GitHub Stars
26
First Seen
Feb 4, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
claude-code5
opencode4
github-copilot4
codex4
gemini-cli4
replit3