Skill

secrets-scan

Detects hardcoded credentials, API keys, tokens, and secrets in source code and configs using trufflehog, gitleaks, detect-secrets, and manual patterns. Use for pre-commit reviews, repo audits, and secret detection setup.

Git

security

npx claudepluginhub cmaenner/agent-security-playbook

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Detect hardcoded secrets by following the full procedure in `plays/tier1-code-analysis/secrets-scan.md`.

SKILL.md

Similar Skills

secret-scanner

Scans code, git history, and configs for secrets like API keys, cloud credentials, private keys, and DB strings using regex, entropy, and context. Assesses severity and generates remediation reports.

devkit

detecting-secrets

100

This skill should be used when the user asks to "find hardcoded secrets", "audit for credential leaks", "check for API keys in code", "review secret scanning alerts", "rotate a leaked secret", or needs to detect hardcoded credentials, review secret handling patterns, or remediate exposed secrets.

bitwarden-security-engineer

Secret Scanning

Detects hardcoded secrets, API keys, credentials, tokens, and private keys in source code and git history using regex patterns for pentesting and code reviews.

vuln-scout

Stats

Stars5

Forks2

Last CommitMar 7, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Secrets Scan

Detect hardcoded secrets by following the full procedure in plays/tier1-code-analysis/secrets-scan.md.

Steps

Run Automated Scanner — Use available tools in preference order:

trufflehog filesystem --directory=<path> --json (recommended)
trufflehog git file://<repo> --json (includes git history)
gitleaks detect --source=<path> --report-format=json
detect-secrets scan <path> --all-files
If no scanner available, proceed with manual pattern analysis.

Manual Pattern Analysis — Search for high-confidence patterns:

AWS keys (AKIA...), OpenAI (sk-...), Anthropic (sk-ant-...), GitHub (ghp_...), Slack (xoxb-...), Stripe (sk_live_...), SendGrid (SG.)
Connection strings with embedded passwords (://user:pass@host)
Private keys (PEM headers), JWT secrets, database credentials
High-risk files: .env, docker-compose*.yml, *.tfvars, terraform.tfstate, kubeconfig, .npmrc, .pypirc

Contextual Analysis — For each detection: Is it real (not a placeholder/test fixture)? Is it active? What's the blast radius (service, permissions, prod vs dev, exposure duration)?

Check Preventive Controls — Verify: .gitignore covers sensitive files, pre-commit hooks for secret scanning, CI pipeline scanning, secrets management documentation.

Important: Never include actual secret values in findings. Show redacted versions only (e.g., AKIA****EXAMPLE). Active production secrets require immediate rotation.

Output

Scan summary, findings using templates/finding.md, preventive controls checklist, and immediate rotation actions if needed.

OWASP References

A07:2021: Identification and Authentication Failures

CWE-798: Use of Hard-coded Credentials

CWE-312: Cleartext Storage of Sensitive Information