playbooks

home / skills / jwynia / agent-skills / secrets-scan

secrets-scan skill

/skills/tech/security/secrets-scan

This skill detects hardcoded credentials and secrets in code and guides immediate remediation to protect projects.

npx playbooks add skill jwynia/agent-skills --skill secrets-scan

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
7.2 KB
---
name: secrets-scan
description: Detect API keys, passwords, tokens, and other secrets in code. Use when you need to find hardcoded credentials and sensitive data in source code.
license: MIT
metadata:
  author: jwynia
  version: "1.0"
  type: utility
  mode: evaluative
  domain: development
---

# Secrets Scan

Deep detection of hardcoded credentials and sensitive data in source code.

## Quick Start

```
/secrets-scan                    # Scan current directory
/secrets-scan --scope src/       # Scan specific path
/secrets-scan --entropy          # Include high-entropy detection
/secrets-scan --git-history      # Check git commit history
```

## What This Skill Detects

### High-Confidence Patterns

Patterns with very low false positive rates:

| Type | Pattern Example | Provider |
|------|-----------------|----------|
| AWS Access Key | `AKIA...` (20 chars) | AWS |
| AWS Secret Key | 40 char base64 | AWS |
| GitHub Token | `ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_` | GitHub |
| GitLab Token | `glpat-...` | GitLab |
| Slack Token | `xoxb-`, `xoxp-`, `xoxa-` | Slack |
| Stripe Key | `sk_live_`, `rk_live_` | Stripe |
| Twilio | `SK...` (34 chars) | Twilio |
| SendGrid | `SG.` followed by base64 | SendGrid |
| Private Key | `-----BEGIN (RSA\|EC\|DSA)?PRIVATE KEY-----` | Various |
| Google API Key | `AIza...` (39 chars) | Google |

### Medium-Confidence Patterns

May require context validation:

| Type | Pattern | Notes |
|------|---------|-------|
| Generic API Key | `api[_-]?key.*=.*['"][a-zA-Z0-9]{16,}` | Variable names |
| Generic Secret | `secret.*=.*['"][^'"]+` | Context needed |
| Password | `password.*=.*['"][^'"]+` | May be config |
| Connection String | `://[^:]+:[^@]+@` | DB credentials |
| Bearer Token | `Bearer [a-zA-Z0-9_-]+` | In headers/code |

### High-Entropy Detection

Finds potential secrets via entropy analysis:

```
/secrets-scan --entropy
```

Detects strings with high randomness that may be:
- Base64-encoded secrets
- Hex-encoded tokens
- Custom API key formats

## Detection Patterns

### Cloud Provider Keys

```regex
# AWS
AKIA[0-9A-Z]{16}                           # Access Key ID
[A-Za-z0-9/+=]{40}                         # Secret Access Key (context needed)

# Azure
[a-zA-Z0-9+/=]{88}                         # Storage Account Key

# GCP
AIza[0-9A-Za-z_-]{35}                      # API Key
[0-9]+-[a-z0-9]{32}\.apps\.googleusercontent\.com  # OAuth Client
```

### Version Control Tokens

```regex
# GitHub
gh[pousr]_[A-Za-z0-9]{36,}                 # Personal/OAuth/User/Repo/App
github_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59} # Fine-grained PAT

# GitLab
glpat-[A-Za-z0-9-_]{20,}                   # Personal Access Token

# Bitbucket
[a-zA-Z0-9]{24}                            # App Password (context needed)
```

### Payment & Finance

```regex
# Stripe
sk_live_[a-zA-Z0-9]{24,}                   # Secret Key
rk_live_[a-zA-Z0-9]{24,}                   # Restricted Key
pk_live_[a-zA-Z0-9]{24,}                   # Publishable Key

# Square
sq0[a-z]{3}-[A-Za-z0-9_-]{22,}            # Access Token

# PayPal
access_token\$[a-zA-Z0-9-_.]+             # OAuth Token
```

### Communication Services

```regex
# Slack
xox[bpas]-[0-9]{10,}-[a-zA-Z0-9]{24,}     # Bot/User/App Token

# Twilio
SK[a-f0-9]{32}                             # API Key SID
[a-f0-9]{32}                               # Auth Token (context)

# SendGrid
SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}  # API Key
```

### Database Connection Strings

```regex
# PostgreSQL/MySQL
(postgres|mysql|mariadb)://[^:]+:[^@]+@[^/]+/\w+

# MongoDB
mongodb(\+srv)?://[^:]+:[^@]+@

# Redis
redis://:[^@]+@
```

### Private Keys

```regex
-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
```

### JWT & Session

```regex
eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+   # JWT
```

## Scan Options

### Basic Scan
```
/secrets-scan
```
Scans for high-confidence patterns only.

### With Entropy Analysis
```
/secrets-scan --entropy
```
Adds high-entropy string detection (more findings, some false positives).

### Specific Scope
```
/secrets-scan --scope src/api/
/secrets-scan --scope "*.ts"
```

### Git History Scan
```
/secrets-scan --git-history
/secrets-scan --git-history --since "2024-01-01"
```
Scans commit history for secrets that were committed and later removed.

### Exclude Patterns
```
/secrets-scan --exclude "*.test.ts" --exclude "fixtures/"
```

## Output Format

### Finding Report

```
SECRETS SCAN RESULTS
====================

High-Confidence Findings: 2
Medium-Confidence Findings: 5
Entropy Findings: 3

[!] CRITICAL: AWS Access Key
    File: src/config/aws.ts:15
    Pattern: AKIAIOSFODNN7EXAMPLE
    Action: Rotate immediately, check CloudTrail

[!] CRITICAL: GitHub Token
    File: .env.example:8
    Pattern: ghp_xxxx...xxxx (redacted)
    Action: Revoke token, remove from history

[H] HIGH: Database Password
    File: docker-compose.yml:23
    Pattern: password: supersecret
    Action: Use environment variable

[M] MEDIUM: Possible API Key
    File: src/services/api.ts:44
    Pattern: apiKey = "a1b2c3..."
    Context: May be test value
```

### Summary Statistics

```
Files scanned: 342
Patterns checked: 127
Time elapsed: 2.3s

By Severity:
  Critical: 2
  High: 5
  Medium: 8

By Type:
  Cloud credentials: 2
  API keys: 4
  Passwords: 3
  Private keys: 1
  Other: 5
```

## False Positive Handling

### Common False Positives

1. **Example/placeholder values**
   - `AKIAIOSFODNN7EXAMPLE` (AWS example)
   - `sk_test_...` (Stripe test key)
   - `your-api-key-here`

2. **Test fixtures**
   - Mock credentials in test files
   - Fixture data

3. **Documentation**
   - README examples
   - API documentation

### Ignore File

Create `.secrets-scan-ignore`:

```
# Ignore test fixtures
**/fixtures/**
**/__mocks__/**
*.test.ts
*.spec.js

# Ignore documentation
docs/**
*.md

# Ignore specific false positives
src/constants.ts:EXAMPLE_KEY

# Inline ignore comment
# secrets-scan-ignore: test fixture
```

### Inline Ignore

```javascript
// secrets-scan-ignore: example value
const EXAMPLE_KEY = "AKIAIOSFODNN7EXAMPLE";
```

## Remediation Steps

### When Secrets Are Found

1. **Immediate Actions**
   - Rotate the credential immediately
   - Check access logs for unauthorized use
   - Remove from code/config

2. **Clean Git History**
   ```bash
   # Remove secret from history
   git filter-branch --force --index-filter \
     'git rm --cached --ignore-unmatch path/to/file' \
     --prune-empty --tag-name-filter cat -- --all

   # Or use BFG Repo Cleaner
   bfg --replace-text secrets.txt repo.git
   ```

3. **Prevent Future Commits**
   - Add pre-commit hooks
   - Configure secret scanning in CI

### Prevention

```bash
# Install pre-commit hook
npx husky add .husky/pre-commit "npx secrets-scan --staged"
```

## Integration

### CI/CD Pipeline

```yaml
# GitHub Actions
- name: Secrets Scan
  run: |
    /secrets-scan --fail-on-findings
    exit $?

# Exit codes:
# 0 = No findings
# 1 = Findings detected
# 2 = Error during scan
```

### Pre-Commit Hook

```bash
#!/bin/sh
# .husky/pre-commit
files=$(git diff --cached --name-only)
/secrets-scan --files "$files"
```

## Related Skills

- `/security-scan` - Full security analysis
- `/config-scan` - Configuration security
- `/dependency-scan` - Package vulnerabilities

Overview

This skill detects hardcoded credentials and other sensitive data in source code to help you find API keys, passwords, tokens, and private keys before they leak. It focuses on high-confidence patterns, optional entropy analysis, and can scan working trees or full git history for removed secrets. Results include file locations, severity, and recommended remediation steps.

How this skill works

The scanner matches a comprehensive set of regex patterns for cloud provider keys, VCS tokens, payment keys, communication service tokens, connection strings, JWTs, and private key blocks. An optional entropy mode flags high-randomness strings that may be encoded secrets. It also supports scoped scans, file globs, exclude rules, inline ignores, and git-history inspection to catch secrets that were committed and later removed.

When to use it

  • Before merging code or releasing builds to ensure no credentials are committed
  • When auditing a repository for accidental secrets or leaked tokens
  • During CI to block commits that introduce new secrets
  • When rotating credentials to locate all occurrences in code and history
  • When preparing a public release or open-sourcing a project

Best practices

  • Run basic scans regularly and enable entropy mode when you need broader coverage
  • Use .secrets-scan-ignore to suppress known safe fixtures and docs
  • Treat high-confidence findings as urgent: rotate and revoke immediately
  • Integrate the scanner into CI and pre-commit hooks to prevent future commits
  • Review medium- and entropy findings manually to reduce false positives

Example use cases

  • Scan src/ and config files to find accidentally committed API keys
  • Run a git-history scan to find secrets that were removed but remain in commits
  • Use entropy mode to locate base64/hex-encoded tokens in binary blobs or configs
  • Add to pre-commit hooks so staged changes are scanned before committing
  • Automate in CI to fail builds when critical secrets are detected

FAQ

What scan modes are available?

Basic scans detect high-confidence patterns. Use --entropy to include high-entropy string detection. Use --git-history to scan commit history and --scope to limit paths or globs.

How do I ignore false positives?

Create a .secrets-scan-ignore file with globs, paths, or specific file:pattern entries. You can also add an inline comment secrets-scan-ignore to mark a specific line as ignored.

What should I do if a secret is found?

Rotate or revoke the credential immediately, inspect access logs for misuse, remove it from code, and clean git history using recommended tools like git filter-branch or BFG. Then add preventive checks like pre-commit hooks and CI scanning.