Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From brewtools
Scans git-tracked files for leaked secrets like passwords, API keys, tokens, AWS credentials, DB URLs, and private keys. Categorizes by criticality (CRITICAL-HIGH-MEDIUM-LOW) and generates report.
npx claudepluginhub kochetkov-ma/claude-brewcode --plugin brewtoolsHow this skill is triggered — by the user, by Claude, or both
Slash command
/brewtools:secrets-scansonnetThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
<phase name="1-setup">
Scans codebase for hardcoded secrets, API keys, credentials, tokens, and sensitive data. Supports directories, --all for full repo, --staged for git changes. Reports severity, locations, remediation.
Scans codebases for leaked secrets (API keys, tokens, passwords, private keys), insecure code patterns, and configuration issues. Returns severity-rated findings with file locations and remediation steps.
Audits git repositories for committed secrets using Gitleaks: scans history, baselines false positives, configures rules, integrates with CI, and enforces no-secrets constraints.
Share bugs, ideas, or general feedback.
EXECUTE using Bash tool:
git rev-parse --is-inside-work-tree 2>/dev/null || { echo "ERROR: Not git repo"; exit 1; }
REPO=$(git rev-parse --show-toplevel) && cd "$REPO"
TS=$(date +%Y%m%d-%H%M%S)
DIR="$REPO/.claude/reports/${TS}_secrets-scan" && mkdir -p "$DIR"
git ls-files > "$DIR/files.txt"
echo "DIR=$DIR|REPO=$REPO|TS=$TS|TOTAL=$(wc -l < "$DIR/files.txt" | tr -d ' ')"
cat "$DIR/files.txt"
STOP if ERROR — must run in git repository.
ceil(total/10))Config: Task(subagent_type="general-purpose", model="haiku", description="Agent N/10 scan")
FILES: {FILES}
Read each file → detect secrets → return JSON.
PATTERNS:
| Category | Match |
|---|---|
| Passwords | password/passwd/secret/pwd + = or : |
| API Keys | api_key, access_key, apikey, api_secret |
| Tokens | token, bearer, auth_token, access_token |
| AWS | AKIA[0-9A-Z]{16}, aws_secret, aws_access_key |
| DB URLs | jdbc/mongodb/mysql/postgres with credentials |
| Keys | -----BEGIN.*PRIVATE KEY-----, client_secret, encryption_key |
CRITICALITY:
| Level | Criteria |
|---|---|
| CRITICAL | Real credentials, private keys, DB connection strings |
| HIGH | Real API keys/tokens, AWS creds |
| MEDIUM | Suspicious hardcoded values |
| LOW | Placeholders: changeme, YOUR_KEY, xxx, dummy |
SKIP: env refs (process.env.*, ${VAR}, os.getenv()), placeholders, docs/comments.
OUTPUT (JSON):
{"agent":{N},"scanned":["f1","f2"],"skipped":[{"path":"x","reason":"binary"}],"findings":[{"path":"f","line":1,"content":"pwd=x","desc":"Hardcoded pwd","crit":"HIGH"}]}
No findings: "findings":[]
scanned[], skipped[], findings[]path+lineWrite {DIR}/report.md:
Scan: {TS} | Repo: {REPO} | Files: {TOTAL} | Agents: 10
| Metric | Count |
|---|---|
| Scanned | {N} |
| Skipped | {N} |
| CRITICAL | {N} |
| HIGH | {N} |
| MEDIUM | {N} |
| LOW | {N} |
| # | File | Line | Content | Description |
|---|---|---|---|---|
| {ROWS} |
(same table format)
| Agent | Assigned | Scanned | Findings |
|---|---|---|---|
| 1-10 | ... | ... | ... |
| Total | {N} | {N} | {N} |
| # | Path | Agent |
|---|---|---|
| {ALL} |
| # | Path | Reason |
|---|---|---|
| {SKIP} |
## Secrets Scan Complete
| Metric | Value |
|--------|-------|
| Files | {N} |
| CRITICAL | {N} |
| HIGH | {N} |
| MEDIUM | {N} |
| LOW | {N} |
Report: {DIR}/report.md
Trigger: --fix arg OR CRITICAL/HIGH findings exist → AskUserQuestion
| Option | Action |
|---|---|
| Fix interactively | Review each: delete, move to env var, add to .gitignore, skip, mark false positive |
| Add to .gitignore | Append paths |
| Skip | Done |