secrets-scanner
By mintmcp
Protect AI development workflows from credential leaks by scanning Bash tool calls before execution to guard against risks, scrubbing secrets from outputs afterward, and triggering admission reminders on user prompt submissions.
npx claudepluginhub mintmcp/agent-security --plugin secrets-scannerComponent Overview
Component Details
Hooks (1)
README
Security plugins for Claude Code and Cursor
This repository currently provides a secrets scanner plugin.
Motivation
Coding agents are powerful, but we've repeatedly seen them read and propagate sensitive data during everyday work. That can be acceptable for casual "vibe coding" experiments, but it's not acceptable for production software engineering. We built this to make accidental leakage much harder: a standalone, local-first scanner with minimal footprint (no external dependencies, regex-only), running as editor/agent hooks entirely on your machine, and easy to set up so teams can adopt it without friction.
Install
Claude Code Plugin Marketplace
Install via the Claude Code plugin marketplace:
/plugin marketplace add mintmcp/agent-security
/plugin install secrets-scanner@agent-security
PyPI (manual hooks)
pipx install claude-secret-scan
# or
python3 -m pip install --user claude-secret-scan
Add hooks to ~/.claude/settings.json if using PyPI:
{
"hooks": {
"UserPromptSubmit": [
{"hooks": [{"type": "command", "command": "claude-secret-scan --mode=pre"}]}
],
"PreToolUse": [
{"matcher": "Read|read", "hooks": [{"type": "command", "command": "claude-secret-scan --mode=pre"}]}
],
"PostToolUse": [
{"matcher": "Read|read", "hooks": [{"type": "command", "command": "claude-secret-scan --mode=post"}]},
{"matcher": "Bash|bash", "hooks": [{"type": "command", "command": "claude-secret-scan --mode=post"}]}
]
}
}
Cursor
Copy examples/configs/cursor-hooks.json to ~/.cursor/hooks.json or configure similarly:
{
"version": 1,
"hooks": {
"beforeReadFile": [{"command": "cursor-secret-scan --mode=pre"}],
"beforeSubmitPrompt": [{"command": "cursor-secret-scan --mode=pre"}]
}
}
Repository Layout
.
├── .claude-plugin/
│ └── marketplace.json
├── plugins/
│ └── secrets_scanner/
│ ├── .claude-plugin/
│ │ └── plugin.json
│ ├── hooks/
│ │ ├── hooks.json
│ │ └── secrets_scanner_hook.py
│ ├── tests/
│ │ └── read_hook_test.py
│ ├── TESTING.md
│ └── README.md
├── examples/
│ └── configs/
├── pyproject.toml
└── README.md
Notes
- Pre hooks block when secrets are detected. Post hooks print warnings.
- No external dependencies. The scanner uses only Python's built-in regexes and simple pattern matching.
- Runs completely locally. No code, prompts, or files leave your system.
- Curious how it works? See
plugins/secrets_scanner/hooks/secrets_scanner_hook.pyfor the core implementation and patterns. - No telemetry by default. For org-wide visibility and governance (dashboards, metrics, alerting), see https://mintmcp.com.
License
Apache License 2.0. See LICENSE.
Acknowledgements
Regex patterns were informed by or adapted from detect-secrets (Apache 2.0).
Similar Plugins
everything-claude-code
The most comprehensive Claude Code plugin — 38 agents, 156 skills, 72 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning
Executes bash commands
Hook triggers when Bash tool is used