/secret-scan | claude-code-plugin-marketplace | ClaudePluginHub

Back to Commands

Slash Command

Community

/secret-scan

From claude-code-plugin-marketplace

0

Description

Scan code for accidentally committed secrets, API keys, and credentials.

AI Summary

Scans code for exposed secrets, API keys, and credentials with actionable remediation steps.

Install

1

Add the repository(one-time)

$

/plugin marketplace add marcel-Ngan/ai-dev-team

2

Install the plugin

$

/plugin install marcel-ngan-ai-dev-team@marcel-Ngan/ai-dev-team

Command Content

/secret-scan - Detect Exposed Secrets

Scan code for accidentally committed secrets, API keys, and credentials.

Usage

/secret-scan [target] [--staged]

Arguments:

target - File, directory, or "all" (default: current directory)
--staged - Only scan staged files (pre-commit check)

Examples

/secret-scan
/secret-scan src/config/
/secret-scan --staged
/secret-scan all

What It Detects

API Keys & Tokens

AWS Access Keys
Google Cloud API keys
GitHub tokens
Stripe keys
OpenAI API keys
Generic API keys

Credentials

Passwords in code
Database connection strings
SSH private keys
SSL certificates/keys

Cloud & Service Secrets

Azure credentials
Firebase configs
Twilio tokens
SendGrid keys
Slack webhooks

Patterns

High-entropy strings
Base64 encoded secrets
Environment variable leaks
Config file secrets

Output Format

## Secret Scan Results

**Target:** src/
**Files Scanned:** 128
**Scan Time:** 2024-01-15 10:30:00

### Secrets Found (4)

#### CRITICAL - AWS Access Key
**File:** src/config/aws.ts:12
```typescript
const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";

Risk: AWS credentials exposed - immediate rotation required Action:

Rotate key immediately in AWS console
Replace with environment variable
Add to .gitignore if config file

HIGH - Database Password

File: src/db/connection.ts:8

const DB_PASS = "super_secret_password_123";

Risk: Database credentials in source code Action: Use environment variable or secrets manager

MEDIUM - Generic API Key

File: src/services/external.ts:22 Pattern: Matches API key format Action: Verify if sensitive, move to env vars

Already in .gitignore

.env (contains secrets - properly ignored)
config/local.json (properly ignored)

Recommendations

Rotate all exposed credentials immediately
Use a secrets manager (Vault, AWS Secrets Manager)
Add pre-commit hook to prevent future leaks
Review git history for previously committed secrets


## Skill Used

`security-secret-scan`

## Pre-commit Hook Integration

Add to your workflow:
```bash
# .git/hooks/pre-commit
/secret-scan --staged
if [ $? -ne 0 ]; then
  echo "Secrets detected! Commit blocked."
  exit 1
fi

When to Use Agent Instead

Use the DevOps Engineer agent when:

Secrets rotation workflow needed
Secrets management setup required
CI/CD integration for scanning

Links

GitHub Stats

0 forks

Updated 2 days ago