secrets-detector

Installation

SKILL.md

Secrets Detector

Quick Start

Scan for secrets using gitleaks:

# Install
brew install gitleaks  # macOS
# or
pip install detect-secrets

# Scan current directory
gitleaks detect --source .

Instructions

Step 1: Choose Detection Tool

Gitleaks (recommended):

gitleaks detect --source . --verbose

detect-secrets:

detect-secrets scan . --all-files

Manual grep patterns:

grep -rn "AKIA[0-9A-Z]{16}" .  # AWS Access Key
grep -rn "ghp_[a-zA-Z0-9]{36}" .  # GitHub Token

Step 2: Scan for Common Patterns

Secret Type	Pattern	Example
AWS Access Key	`AKIA[0-9A-Z]{16}`	AKIAIOSFODNN7EXAMPLE
AWS Secret Key	`[A-Za-z0-9/+=]{40}`	wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GitHub Token	`ghp_[a-zA-Z0-9]{36}`	ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GitHub OAuth	`gho_[a-zA-Z0-9]{36}`	gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Slack Token	`xox[baprs]-[0-9a-zA-Z-]+`	xoxb-123456789-abcdefghij
Private Key	`-----BEGIN.*PRIVATE KEY-----`	RSA/EC private keys
Generic API Key	`api[_-]?key.=.['\"][a-zA-Z0-9]{20,}`	api_key = "abc123..."
Generic Password	`password.=.['\"][^'\"]+['\"]`	password = "secret123"

Step 3: Check Git History

Secrets may exist in git history even if removed:

# Scan entire git history
gitleaks detect --source . --log-opts="--all"

# Check specific commits
git log -p --all -S 'password' --source

Step 4: Categorize Findings

Critical - Immediate rotation required:

Cloud provider credentials (AWS, GCP, Azure)
Database connection strings
Private keys

High - Rotate soon:

API keys for external services
OAuth tokens
Webhook secrets

Medium - Review and rotate:

Internal service tokens
Test credentials that might be reused

Step 5: Report Findings

## Secrets Detection Report

### Critical (1)
1. **AWS Secret Key** - config/aws.js:12
   - Type: AWS credentials
   - Action: Rotate immediately in AWS console

### High (2)
1. **GitHub Token** - scripts/deploy.sh:45
   - Type: Personal access token
   - Action: Revoke and regenerate

2. **Slack Webhook** - src/notifications.js:23
   - Type: Incoming webhook URL
   - Action: Regenerate webhook

Prevention

Pre-commit Hook

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

.gitignore Patterns

# Environment files
.env
.env.local
.env.*.local

# Key files
*.pem
*.key
*_rsa
*_ecdsa
*_ed25519

# Config with secrets
config/secrets.yml
credentials.json

Environment Variables

Move secrets to environment variables:

// BAD
const apiKey = "sk-abc123...";

// GOOD
const apiKey = process.env.API_KEY;

Common False Positives

Example/placeholder values in documentation
Test fixtures with fake credentials
Base64-encoded non-secret data
Hash values (SHA, MD5)

Review each finding to confirm it's a real secret before taking action.

Related skills

More from armanzeroeight/fastagent-plugins

Installs

Repository

armanzeroeight/…-plugins

GitHub Stars

First Seen

Feb 4, 2026

Security Audits

Gen Agent Trust HubPass

SocketPass

SnykPass