Use when the user asks to "scan for secrets", "detect credentials", "sanitize sensitive data", "check for exposed passwords", "run security gate G0", or mentions secret detection, credential scanning, security gate G0, sensitive data masking, API key exposure, token detection.
From jm-adknpx claudepluginhub javimontano/jm-adk-alfaThis skill is limited to using the following tools:
agents/guardian.mdagents/lead.mdagents/specialist.mdagents/support.mdevals/evals.jsonknowledge/body-of-knowledge.mdknowledge/knowledge-graph.mdprompts/meta.mdprompts/primary.mdprompts/variations/deep.mdprompts/variations/quick.mdreferences/body-of-knowledge.mdreferences/knowledge-graph.mmdreferences/state-of-the-art.mdtemplates/output.docx.mdtemplates/output.htmlTL;DR: Scans project artifacts for exposed credentials, API keys, passwords, tokens, and sensitive data. Implements Gate G0: no pipeline execution proceeds with unmasked secrets. Detects patterns across configuration files, documents, and code artifacts, then masks or flags findings for remediation.
Un solo secreto expuesto puede comprometer todo el proyecto. Gate G0 es un hard stop: si se detectan credenciales sin enmascarar en cualquier artefacto del proyecto, el pipeline se detiene hasta que se remedien. La seguridad no es una fase — es una precondición. [EXPLICIT]
# Full secrets scan of project workspace
/pm:secrets-sanitization $ARGUMENTS="--path /project/workspace"
# Scan specific file types only
/pm:secrets-sanitization --type targeted --glob "**/*.{md,yaml,json,env}"
# Remediation verification after masking
/pm:secrets-sanitization --type verify --baseline scan-report-v1.md
Parameters:
| Parameter | Required | Description |
|---|---|---|
$ARGUMENTS | Yes | Path to project workspace |
--type | No | full (default), targeted, verify |
--glob | No | File pattern to scan |
--baseline | No | Previous scan report for verification |
--severity | No | Minimum severity to report: critical, high, medium |
{TIPO_PROYECTO} variants:
**/*.{env,yaml,yml,json,conf,cfg,properties} to identify configuration files [PLAN]**/*.{md,txt,doc} to identify documentation files that may contain credentials [PLAN]AKIA, sk-, ghp_, Bearer) as initial indicators [PLAN]git log scan or BFG Repo-Cleaner for historical secrets [SUPUESTO]. [EXPLICIT]Good example — Thorough G0 scan:
| Attribute | Value |
|---|---|
| Files scanned | 342 files across 12 file types |
| Findings | 3 findings: 1 Critical, 1 High, 1 Medium |
| False positive rate | 2 false positives identified and filtered |
| Remediation | Specific steps per finding with owner assigned |
| Gate decision | FAIL — Critical finding requires remediation before proceed |
| Report | Findings described without exposing actual secrets |
Bad example — Superficial scan:
Scan of only .env files, ignoring documentation, YAML, and JSON. No severity classification, no context analysis. A narrow scan gives false confidence — secrets hide in unexpected places (README examples, CI configs, integration docs). [EXPLICIT]
| Resource | When to Read | Location |
|---|---|---|
| Body of Knowledge | Secret detection patterns and tools | references/body-of-knowledge.md |
| State of the Art | Modern secrets management practices | references/state-of-the-art.md |
| Knowledge Graph | G0 gate in pipeline security | references/knowledge-graph.mmd |
| Use Case Prompts | Secret scanning scenarios | prompts/use-case-prompts.md |
| Metaprompts | Custom detection pattern design | prompts/metaprompts.md |
| Sample Output | Reference G0 scan report | examples/sample-output.md |
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.