From security-toolkit
Scans source code and git history for hardcoded secrets, API keys, passwords, credentials using gitleaks, detect-secrets, grep patterns. Categorizes risks and suggests prevention like pre-commit hooks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-toolkit:secrets-detectorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Scan for secrets using gitleaks:
Scan for secrets using gitleaks:
# Install
brew install gitleaks # macOS
# or
pip install detect-secrets
# Scan current directory
gitleaks detect --source .
Gitleaks (recommended):
gitleaks detect --source . --verbose
detect-secrets:
detect-secrets scan . --all-files
Manual grep patterns:
grep -rn "AKIA[0-9A-Z]{16}" . # AWS Access Key
grep -rn "ghp_[a-zA-Z0-9]{36}" . # GitHub Token
| Secret Type | Pattern | Example |
|---|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} | AKIAIOSFODNN7EXAMPLE |
| AWS Secret Key | [A-Za-z0-9/+=]{40} | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
| GitHub Token | ghp_[a-zA-Z0-9]{36} | ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| GitHub OAuth | gho_[a-zA-Z0-9]{36} | gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| Slack Token | xox[baprs]-[0-9a-zA-Z-]+ | xoxb-123456789-abcdefghij |
| Private Key | -----BEGIN.*PRIVATE KEY----- | RSA/EC private keys |
| Generic API Key | api[_-]?key.*=.*['\"][a-zA-Z0-9]{20,} | api_key = "abc123..." |
| Generic Password | password.*=.*['\"][^'\"]+['\"] | password = "secret123" |
Secrets may exist in git history even if removed:
# Scan entire git history
gitleaks detect --source . --log-opts="--all"
# Check specific commits
git log -p --all -S 'password' --source
Critical - Immediate rotation required:
High - Rotate soon:
Medium - Review and rotate:
## Secrets Detection Report
### Critical (1)
1. **AWS Secret Key** - config/aws.js:12
- Type: AWS credentials
- Action: Rotate immediately in AWS console
### High (2)
1. **GitHub Token** - scripts/deploy.sh:45
- Type: Personal access token
- Action: Revoke and regenerate
2. **Slack Webhook** - src/notifications.js:23
- Type: Incoming webhook URL
- Action: Regenerate webhook
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
# Environment files
.env
.env.local
.env.*.local
# Key files
*.pem
*.key
*_rsa
*_ecdsa
*_ed25519
# Config with secrets
config/secrets.yml
credentials.json
Move secrets to environment variables:
// BAD
const apiKey = "sk-abc123...";
// GOOD
const apiKey = process.env.API_KEY;
Review each finding to confirm it's a real secret before taking action.
npx claudepluginhub p/armanzeroeight-security-toolkit-plugins-security-toolkitDetects hardcoded secrets, API keys, credentials, tokens, and private keys in source code and git history using regex patterns for pentesting and code reviews.
Detects API keys, passwords, tokens, and other secrets in source code using pattern matching and entropy analysis. Scan directories or specific paths for leaked credentials.
This skill should be used when the user asks to "find hardcoded secrets", "audit for credential leaks", "check for API keys in code", "review secret scanning alerts", "rotate a leaked secret", or needs to detect hardcoded credentials, review secret handling patterns, or remediate exposed secrets.