secrets-scan
Secrets Scan
Deep detection of hardcoded credentials and sensitive data in source code.
Quick Start
/secrets-scan # Scan current directory
/secrets-scan --scope src/ # Scan specific path
/secrets-scan --entropy # Include high-entropy detection
/secrets-scan --git-history # Check git commit history
What This Skill Detects
High-Confidence Patterns
Patterns with very low false positive rates:
| Type | Pattern Example | Provider |
|---|---|---|
| AWS Access Key | AKIA... (20 chars) |
AWS |
| AWS Secret Key | 40 char base64 | AWS |
| GitHub Token | ghp_, gho_, ghu_, ghs_, ghr_ |
GitHub |
| GitLab Token | glpat-... |
GitLab |
| Slack Token | xoxb-, xoxp-, xoxa- |
Slack |
| Stripe Key | sk_live_, rk_live_ |
Stripe |
| Twilio | SK... (34 chars) |
Twilio |
| SendGrid | SG. followed by base64 |
SendGrid |
| Private Key | -----BEGIN (RSA|EC|DSA)?PRIVATE KEY----- |
Various |
| Google API Key | AIza... (39 chars) |
Medium-Confidence Patterns
May require context validation:
| Type | Pattern | Notes |
|---|---|---|
| Generic API Key | api[_-]?key.*=.*['"][a-zA-Z0-9]{16,} |
Variable names |
| Generic Secret | secret.*=.*['"][^'"]+ |
Context needed |
| Password | password.*=.*['"][^'"]+ |
May be config |
| Connection String | ://[^:]+:[^@]+@ |
DB credentials |
| Bearer Token | Bearer [a-zA-Z0-9_-]+ |
In headers/code |
High-Entropy Detection
Finds potential secrets via entropy analysis:
/secrets-scan --entropy
Detects strings with high randomness that may be:
- Base64-encoded secrets
- Hex-encoded tokens
- Custom API key formats
Detection Patterns
Cloud Provider Keys
# AWS
AKIA[0-9A-Z]{16} # Access Key ID
[A-Za-z0-9/+=]{40} # Secret Access Key (context needed)
# Azure
[a-zA-Z0-9+/=]{88} # Storage Account Key
# GCP
AIza[0-9A-Za-z_-]{35} # API Key
[0-9]+-[a-z0-9]{32}\.apps\.googleusercontent\.com # OAuth Client
Version Control Tokens
# GitHub
gh[pousr]_[A-Za-z0-9]{36,} # Personal/OAuth/User/Repo/App
github_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59} # Fine-grained PAT
# GitLab
glpat-[A-Za-z0-9-_]{20,} # Personal Access Token
# Bitbucket
[a-zA-Z0-9]{24} # App Password (context needed)
Payment & Finance
# Stripe
sk_live_[a-zA-Z0-9]{24,} # Secret Key
rk_live_[a-zA-Z0-9]{24,} # Restricted Key
pk_live_[a-zA-Z0-9]{24,} # Publishable Key
# Square
sq0[a-z]{3}-[A-Za-z0-9_-]{22,} # Access Token
# PayPal
access_token\$[a-zA-Z0-9-_.]+ # OAuth Token
Communication Services
# Slack
xox[bpas]-[0-9]{10,}-[a-zA-Z0-9]{24,} # Bot/User/App Token
# Twilio
SK[a-f0-9]{32} # API Key SID
[a-f0-9]{32} # Auth Token (context)
# SendGrid
SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43} # API Key
Database Connection Strings
# PostgreSQL/MySQL
(postgres|mysql|mariadb)://[^:]+:[^@]+@[^/]+/\w+
# MongoDB
mongodb(\+srv)?://[^:]+:[^@]+@
# Redis
redis://:[^@]+@
Private Keys
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
JWT & Session
eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+ # JWT
Scan Options
Basic Scan
/secrets-scan
Scans for high-confidence patterns only.
With Entropy Analysis
/secrets-scan --entropy
Adds high-entropy string detection (more findings, some false positives).
Specific Scope
/secrets-scan --scope src/api/
/secrets-scan --scope "*.ts"
Git History Scan
/secrets-scan --git-history
/secrets-scan --git-history --since "2024-01-01"
Scans commit history for secrets that were committed and later removed.
Exclude Patterns
/secrets-scan --exclude "*.test.ts" --exclude "fixtures/"
Output Format
Finding Report
SECRETS SCAN RESULTS
====================
High-Confidence Findings: 2
Medium-Confidence Findings: 5
Entropy Findings: 3
[!] CRITICAL: AWS Access Key
File: src/config/aws.ts:15
Pattern: AKIAIOSFODNN7EXAMPLE
Action: Rotate immediately, check CloudTrail
[!] CRITICAL: GitHub Token
File: .env.example:8
Pattern: ghp_xxxx...xxxx (redacted)
Action: Revoke token, remove from history
[H] HIGH: Database Password
File: docker-compose.yml:23
Pattern: password: supersecret
Action: Use environment variable
[M] MEDIUM: Possible API Key
File: src/services/api.ts:44
Pattern: apiKey = "a1b2c3..."
Context: May be test value
Summary Statistics
Files scanned: 342
Patterns checked: 127
Time elapsed: 2.3s
By Severity:
Critical: 2
High: 5
Medium: 8
By Type:
Cloud credentials: 2
API keys: 4
Passwords: 3
Private keys: 1
Other: 5
False Positive Handling
Common False Positives
-
Example/placeholder values
AKIAIOSFODNN7EXAMPLE(AWS example)sk_test_...(Stripe test key)your-api-key-here
-
Test fixtures
- Mock credentials in test files
- Fixture data
-
Documentation
- README examples
- API documentation
Ignore File
Create .secrets-scan-ignore:
# Ignore test fixtures
**/fixtures/**
**/__mocks__/**
*.test.ts
*.spec.js
# Ignore documentation
docs/**
*.md
# Ignore specific false positives
src/constants.ts:EXAMPLE_KEY
# Inline ignore comment
# secrets-scan-ignore: test fixture
Inline Ignore
// secrets-scan-ignore: example value
const EXAMPLE_KEY = "AKIAIOSFODNN7EXAMPLE";
Remediation Steps
When Secrets Are Found
-
Immediate Actions
- Rotate the credential immediately
- Check access logs for unauthorized use
- Remove from code/config
-
Clean Git History
# Remove secret from history git filter-branch --force --index-filter \ 'git rm --cached --ignore-unmatch path/to/file' \ --prune-empty --tag-name-filter cat -- --all # Or use BFG Repo Cleaner bfg --replace-text secrets.txt repo.git -
Prevent Future Commits
- Add pre-commit hooks
- Configure secret scanning in CI
Prevention
# Install pre-commit hook
npx husky add .husky/pre-commit "npx secrets-scan --staged"
Integration
CI/CD Pipeline
# GitHub Actions
- name: Secrets Scan
run: |
/secrets-scan --fail-on-findings
exit $?
# Exit codes:
# 0 = No findings
# 1 = Findings detected
# 2 = Error during scan
Pre-Commit Hook
#!/bin/sh
# .husky/pre-commit
files=$(git diff --cached --name-only)
/secrets-scan --files "$files"
Related Skills
/security-scan- Full security analysis/config-scan- Configuration security/dependency-scan- Package vulnerabilities
More from jwynia/agent-skills
frontend-design
Create distinctive, production-grade frontend interfaces with high design quality. Provides analysis tools for auditing existing designs and generation tools for creating color palettes, typography systems, design tokens, and component templates. Supports React, Vue, Svelte, and vanilla HTML/CSS. Use when building web components, pages, or applications. Keywords: design, UI, frontend, CSS, components, palette, typography, tokens, accessibility.
2.0Krequirements-analysis
Diagnose requirements problems and guide discovery of real needs and constraints
1.8Kgodot-best-practices
Guide AI agents through Godot 4.x GDScript coding best practices including scene organization, signals, resources, state machines, and performance optimization. This skill should be used when generating GDScript code, creating Godot scenes, designing game architecture, implementing state machines, object pooling, save/load systems, or when the user asks about Godot patterns, node structure, or GDScript standards. Keywords: godot, gdscript, game development, signals, resources, scenes, nodes, state machine, object pooling, save system, autoload, export, type hints.
1.4Kpresentation-design
Design and evaluate presentations that communicate effectively. Use when designing a presentation, creating slides, getting presentation feedback, structuring a talk, or reviewing slides. Keywords: presentation, slides, talk, PowerPoint, Keynote, reveal.js.
1.3Kweb-search-tavily
Search the web using Tavily API for high-quality, AI-optimized results with advanced filtering options. Use when you need structured search results, domain filtering, relevance scores, or AI-generated answer summaries. Requires TAVILY_API_KEY. Keywords: tavily, advanced search, filtered search, domain filtering, relevance scoring.
1.0Kstory-coach
Act as an assistive writing coach who guides but never writes for the user. Use when helping someone develop their own writing through questions, diagnosis, and frameworks. Critical constraint - never generate story prose, dialogue, or narrative content. Instead ask questions, identify issues, suggest approaches, and let the writer write.
704