Detect secrets, credentials, and sensitive data in code and configurations. Scan git history for secrets, detect API keys, tokens, passwords, check environment files, monitor CI/CD logs for exposure, generate remediation steps, and track secret rotation status.
Scans code, configurations, and git history to detect exposed secrets and provides remediation steps.
npx claudepluginhub a5c-ai/babysitterThis skill is limited to using the following tools:
README.mdYou are secret-detection-scanner - a specialized skill for detecting secrets, credentials, and sensitive data in code, configurations, and git history. This skill provides comprehensive capabilities for preventing secret exposure and managing credential security.
This skill enables AI-powered secret detection including:
Fast and comprehensive secret detection:
# Scan current directory
gitleaks detect --source . --report-format json --report-path gitleaks-report.json
# Scan with verbose output
gitleaks detect --source . -v --report-format json --report-path gitleaks-report.json
# Scan git history
gitleaks detect --source . --log-opts="--all" --report-format json
# Scan specific commits
gitleaks detect --source . --log-opts="HEAD~10..HEAD" --report-format json
# Scan with custom config
gitleaks detect --source . --config .gitleaks.toml --report-format json
# Scan staged files only (pre-commit)
gitleaks protect --source . --staged --report-format json
# Scan specific branch
gitleaks detect --source . --log-opts="origin/main..HEAD" --report-format json
# Generate SARIF output for GitHub
gitleaks detect --source . --report-format sarif --report-path gitleaks.sarif
# .gitleaks.toml
[extend]
useDefault = true
[allowlist]
description = "Global allowlist"
paths = [
'''\.gitleaks\.toml$''',
'''(.*?)(test|spec|mock)(.*)''',
'''vendor/''',
'''node_modules/''',
]
# Custom rule for internal API keys
[[rules]]
id = "internal-api-key"
description = "Internal API Key"
regex = '''INTERNAL_API_KEY\s*=\s*['"]([a-zA-Z0-9]{32})['"]'''
tags = ["internal", "api-key"]
keywords = ["INTERNAL_API_KEY"]
# Allowlist specific findings
[[rules.allowlist]]
regexes = ['''test-api-key-12345''']
Comprehensive entropy and pattern-based detection:
# Scan filesystem
trufflehog filesystem . --json > trufflehog-results.json
# Scan git repository
trufflehog git file://. --json > trufflehog-git.json
# Scan remote git repository
trufflehog git https://github.com/org/repo.git --json
# Scan specific branch
trufflehog git file://. --branch main --json
# Scan with only verified results
trufflehog git file://. --only-verified --json
# Scan GitHub organization
trufflehog github --org myorg --json
# Scan S3 bucket
trufflehog s3 --bucket mybucket --json
# Include archived repos
trufflehog github --org myorg --include-archived --json
| Category | Secrets Detected |
|---|---|
| Cloud Providers | AWS, GCP, Azure credentials |
| Version Control | GitHub, GitLab tokens |
| Communication | Slack, Discord, Twilio |
| Payment | Stripe, PayPal, Square |
| Database | MongoDB, PostgreSQL, Redis |
| AI/ML | OpenAI, Anthropic, HuggingFace |
| General | Private keys, JWT, OAuth |
Baseline-driven secret detection with audit trail:
# Create baseline
detect-secrets scan > .secrets.baseline
# Scan with existing baseline
detect-secrets scan --baseline .secrets.baseline
# Audit baseline (interactive)
detect-secrets audit .secrets.baseline
# Update baseline
detect-secrets scan --baseline .secrets.baseline --update
# Scan specific files
detect-secrets scan src/ tests/ --baseline .secrets.baseline
# Use specific plugins
detect-secrets scan --list-all-plugins
detect-secrets scan --no-keyword-scan --no-base64-string-scan
{
"version": "1.4.0",
"plugins_used": [
{"name": "AWSKeyDetector"},
{"name": "ArtifactoryDetector"},
{"name": "Base64HighEntropyString", "limit": 4.5},
{"name": "BasicAuthDetector"},
{"name": "PrivateKeyDetector"}
],
"filters_used": [
{"path": "detect_secrets.filters.allowlist.is_line_allowlisted"},
{"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies"}
],
"results": {
"config/settings.py": [
{
"type": "Secret Keyword",
"filename": "config/settings.py",
"hashed_secret": "abc123...",
"is_verified": false,
"line_number": 42
}
]
}
}
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.63.0
hooks:
- id: trufflehog
Install and run:
# Install pre-commit
pip install pre-commit
# Install hooks
pre-commit install
# Run manually on all files
pre-commit run --all-files
name: Secret Scan
on: [push, pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
trufflehog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
secret-scan:
image: zricethezav/gitleaks:latest
script:
- gitleaks detect --source . --report-format json --report-path gitleaks-report.json
artifacts:
reports:
secret_detection: gitleaks-report.json
| Category | Examples | Risk Level |
|---|---|---|
| Cloud Credentials | AWS_SECRET_ACCESS_KEY, GCP service account | Critical |
| API Keys | OpenAI, Stripe, SendGrid | High |
| Database | Connection strings, passwords | Critical |
| Private Keys | RSA, SSH, PGP | Critical |
| OAuth/JWT | Bearer tokens, refresh tokens | High |
| Internal | Internal API keys, service tokens | Medium |
| Generic | High-entropy strings | Low-Medium |
When a secret is detected:
# 1. Identify affected commits
gitleaks detect --source . --log-opts="--all" -v
# 2. Revoke the secret immediately
# (Provider-specific - AWS console, GitHub settings, etc.)
# 3. Remove from git history (if needed)
# Option A: BFG Repo Cleaner
bfg --delete-files secrets.txt
bfg --replace-text passwords.txt
# Option B: git filter-repo
git filter-repo --path secrets.txt --invert-paths
# 4. Force push (with team coordination)
git push origin --force --all
# 5. Generate new credentials
# (Provider-specific)
# 6. Update deployment
# Update environment variables, secrets managers, etc.
# 7. Add to allowlist if false positive
# Update .gitleaks.toml or .secrets.baseline
{
"secrets_inventory": [
{
"id": "aws-prod-key",
"type": "AWS_ACCESS_KEY",
"environment": "production",
"created_at": "2025-07-01T00:00:00Z",
"last_rotated": "2025-12-01T00:00:00Z",
"rotation_policy_days": 90,
"next_rotation": "2026-03-01T00:00:00Z",
"status": "valid",
"storage": "AWS Secrets Manager"
}
],
"rotation_schedule": {
"critical": 30,
"high": 60,
"medium": 90,
"low": 180
}
}
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|---|---|---|
| sast-mcp | TruffleHog, Gitleaks integration | GitHub |
| SecOpsAgentKit secrets-gitleaks | Gitleaks credential detection | GitHub |
| Offensive-MCP-AI | DevSecOps secret detection | GitHub |
This skill integrates with the following processes:
secret-management.js - Overall secret lifecycledevsecops-pipeline.js - DevSecOps automationsast-pipeline.js - SAST integrationincident-response.js - Security incident handlingWhen executing operations, provide structured output:
{
"operation": "secret-scan",
"status": "completed",
"scan_type": "full-history",
"tools_used": ["gitleaks", "trufflehog"],
"scan_duration_seconds": 45,
"summary": {
"total_findings": 12,
"by_severity": {
"critical": 2,
"high": 5,
"medium": 3,
"low": 2
},
"by_type": {
"AWS_ACCESS_KEY": 1,
"GITHUB_TOKEN": 2,
"GENERIC_API_KEY": 5,
"PRIVATE_KEY": 1,
"HIGH_ENTROPY": 3
},
"verified": 3,
"unverified": 9
},
"critical_findings": [
{
"type": "AWS_ACCESS_KEY",
"file": "config/aws.py",
"line": 15,
"commit": "abc123",
"author": "dev@example.com",
"date": "2025-06-15",
"verified": true,
"redacted_value": "AKIA***************",
"remediation": "Rotate AWS access key immediately via IAM console"
}
],
"artifacts": ["gitleaks-report.json", "trufflehog-results.json"]
}
| Error | Cause | Resolution |
|---|---|---|
No git repository | Not in git repo | Initialize or specify path |
Baseline mismatch | Outdated baseline | Update baseline file |
Too many findings | No exclusions | Configure allowlists |
Verification failed | Network/API issues | Check connectivity |
Activates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.