Detect and prevent exposure of secrets, credentials, and sensitive data in code and configuration files.
Detects and blocks secrets, API keys, and credentials in code before they're written. Automatically scans AWS keys, GitHub tokens, private keys, and database URLs, blocking high-severity exposures while warning on medium-risk patterns.
/plugin marketplace add cassao29/claude-secure-plugins/plugin install secrets-validator@claude-secure-pluginsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Detect and prevent exposure of secrets, credentials, and sensitive data in code and configuration files.
| Pattern | Description | Example |
|---|---|---|
| AWS Keys | AWS Access Key ID | AKIA[0-9A-Z]{16} |
| AWS Secret | AWS Secret Access Key | [0-9a-zA-Z/+]{40} |
| GitHub Token | Personal Access Token | ghp_[0-9a-zA-Z]{36} |
| GitHub OAuth | OAuth Access Token | gho_[0-9a-zA-Z]{36} |
| Private Keys | RSA/DSA/EC private keys | -----BEGIN.*PRIVATE KEY----- |
| Database URLs | Connection strings with passwords | postgres://user:pass@host |
| API Keys | Generic API key patterns | api[_-]?key.*['\"][0-9a-zA-Z]{20,} |
| Pattern | Description | Example |
|---|---|---|
| Slack Token | Slack bot/user tokens | xox[baprs]-[0-9a-zA-Z-]+ |
| Stripe Key | Stripe API keys | sk_live_[0-9a-zA-Z]{24} |
| SendGrid | SendGrid API key | SG\.[0-9A-Za-z-_]{22}\.[0-9A-Za-z-_]{43} |
| Twilio | Account SID/Auth Token | AC[0-9a-fA-F]{32} |
| JWT | JSON Web Tokens | eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+ |
| Pattern | Description |
|---|---|
password= | Hardcoded password assignment |
secret= | Hardcoded secret assignment |
token= | Hardcoded token assignment |
| IP addresses | Internal/private IP addresses |
| Email addresses | Potentially sensitive emails |
# Patterns to detect
AWS_ACCESS_KEY = r'AKIA[0-9A-Z]{16}'
AWS_SECRET_KEY = r'(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])'
AWS_ACCOUNT_ID = r'\b[0-9]{12}\b'
GITHUB_PAT = r'ghp_[0-9a-zA-Z]{36}'
GITHUB_OAUTH = r'gho_[0-9a-zA-Z]{36}'
GITHUB_APP = r'ghu_[0-9a-zA-Z]{36}|ghs_[0-9a-zA-Z]{36}'
GITHUB_REFRESH = r'ghr_[0-9a-zA-Z]{36}'
# PostgreSQL
POSTGRES_URL = r'postgres(?:ql)?://[^:]+:[^@]+@[^/]+/[^\s]+'
# MySQL
MYSQL_URL = r'mysql://[^:]+:[^@]+@[^/]+/[^\s]+'
# MongoDB
MONGO_URL = r'mongodb(?:\+srv)?://[^:]+:[^@]+@[^/]+/[^\s]+'
# Redis
REDIS_URL = r'redis://[^:]+:[^@]+@[^/]+(?:/\d+)?'
PRIVATE_KEY = r'-----BEGIN\s+(?:RSA|DSA|EC|OPENSSH|PGP)\s+PRIVATE\s+KEY-----'
# Environment variables with secrets
ENV_SECRET = r'(?:PASSWORD|SECRET|TOKEN|API_KEY|APIKEY|AUTH|CREDENTIAL)[_\s]*[=:]\s*[\'"]?[^\s\'"]{8,}[\'"]?'
# Hardcoded in code
CODE_SECRET = r'(?:password|secret|token|api_key|apikey|auth_token)\s*[=:]\s*[\'"][^\'"]{8,}[\'"]'
docker-compose.yml
docker-compose.*.yml
.env
.env.*
*.env
config.yml
config.json
settings.py
settings.json
application.properties
application.yml
*.tf
*.tfvars
terraform.tfstate
*.yaml (Kubernetes)
*.yml (Ansible)
serverless.yml
**/config/**
**/settings/**
**/credentials/**
**/.aws/**
**/.ssh/**
Create or validate .gitignore includes:
# Environment files
.env
.env.*
*.env
!.env.example
# Credentials
credentials.json
service-account.json
*-credentials.json
*.pem
*.key
*.p12
*.pfx
# AWS
.aws/credentials
.aws/config
# SSH
.ssh/
id_rsa*
id_dsa*
id_ed25519*
# Terraform
*.tfstate
*.tfstate.*
.terraform/
# IDE
.idea/
.vscode/settings.json
When writing or editing files, this skill:
Pre-Write Scan
Suggest Alternatives
# Instead of:
DB_PASSWORD: supersecret123
# Use:
DB_PASSWORD: ${DB_PASSWORD} # From environment
Recommend .env Pattern
# Create .env (git-ignored)
DB_PASSWORD=supersecret123
# Create .env.example (committed)
DB_PASSWORD=your_password_here
⛔ SECRET DETECTED - BLOCKING WRITE
Found: AWS Secret Access Key
File: docker-compose.yml
Line: 15
The following line contains what appears to be an AWS Secret Key:
AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
ACTION REQUIRED:
1. Remove the secret from the file
2. Use environment variables instead:
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
3. Store the actual value in .env (git-ignored)
⚠️ POTENTIAL SECRET DETECTED
Found: Possible API key
File: config.js
Line: 23
Consider:
1. Moving this to environment variables
2. Using a secrets manager (AWS Secrets Manager, HashiCorp Vault)
3. Adding this file to .gitignore
Proceed with caution.
Recommend creating .git/hooks/pre-commit:
#!/bin/bash
# Pre-commit hook to scan for secrets
patterns=(
'AKIA[0-9A-Z]{16}'
'ghp_[0-9a-zA-Z]{36}'
'-----BEGIN.*PRIVATE KEY-----'
'password\s*=\s*['\''"][^'\''"]{8,}'
)
for pattern in "${patterns[@]}"; do
if git diff --cached | grep -E "$pattern"; then
echo "ERROR: Potential secret detected!"
echo "Pattern: $pattern"
exit 1
fi
done
.env.example for documentation (no real values).env filesWhen generating configurations, always create .env.example:
# Database
DB_HOST=localhost
DB_PORT=5432
DB_NAME=myapp
DB_USER=myapp
DB_PASSWORD=change_me_in_production
# Redis
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_PASSWORD=change_me_in_production
# API Keys (get from respective services)
STRIPE_SECRET_KEY=sk_test_your_key_here
SENDGRID_API_KEY=your_api_key_here
# Application
SECRET_KEY=generate_a_random_32_char_string
JWT_SECRET=generate_another_random_string
# AWS (if needed)
AWS_ACCESS_KEY_ID=your_access_key
AWS_SECRET_ACCESS_KEY=your_secret_key
AWS_REGION=us-east-1
This skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.