Detect accidentally committed secrets, API keys, passwords, and other sensitive credentials in code repositories.
/plugin marketplace add marcel-Ngan/ai-dev-team/plugin install marcel-ngan-ai-dev-team@marcel-Ngan/ai-dev-teamThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Detect accidentally committed secrets, API keys, passwords, and other sensitive credentials in code repositories.
| Provider | Pattern | Example Format |
|---|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} | AKIAIOSFODNN7EXAMPLE |
| AWS Secret Key | 40-char base64 | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
| GitHub Token | ghp_[a-zA-Z0-9]{36} | ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| GitLab Token | glpat-[a-zA-Z0-9-]{20} | glpat-xxxxxxxxxxxxxxxxxxxx |
| Google API Key | AIza[0-9A-Za-z-_]{35} | AIzaSyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| Stripe Key | sk_live_[a-zA-Z0-9]{24} | sk_live_[EXAMPLE_KEY_HERE] |
| OpenAI Key | sk-[a-zA-Z0-9]{48} | sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| Slack Token | xox[baprs]-[0-9-]+ | xoxb-123456789-123456789-xxxxx |
| Type | Pattern | Risk Level |
|---|---|---|
| Password in code | password\s*=\s*["'][^"']+["'] | Critical |
| Private key | -----BEGIN.*PRIVATE KEY----- | Critical |
| Database URL | `(mysql | postgres |
| Connection string | Server=.*;Password=.* | Critical |
| Basic auth | Authorization.*Basic\s+[A-Za-z0-9+/=]+ | High |
| Bearer token | Bearer\s+[A-Za-z0-9._-]+ | High |
| Provider | Secret Type | Pattern |
|---|---|---|
| Azure | Connection String | DefaultEndpointsProtocol=.*AccountKey=.* |
| Azure | Service Principal | "clientSecret":\s*"[^"]+" |
| GCP | Service Account | "private_key":\s*"-----BEGIN |
| Firebase | Config | apiKey.*firebase |
## Pattern-Based Detection
### High-Confidence Patterns
- Provider-specific key formats (e.g., AWS AKIA prefix)
- Known secret variable names
- Base64 with sufficient length
- Private key headers/footers
### Context Patterns
- Assignment to secret-named variables
- Configuration file formats
- Environment variable references
## Entropy-Based Detection
### High-Entropy String Detection
- Shannon entropy calculation
- Threshold: >4.5 bits per character
- Length: >20 characters
- Context: assignment or config
### Entropy Calibration
| String Type | Typical Entropy |
|-------------|-----------------|
| English text | 3.5-4.0 |
| Base64 encoded | 5.5-6.0 |
| Random hex | 4.0 |
| API keys | 5.0-6.0 |
## Secret Scan Report
**Scan Date:** {{date}}
**Repository:** {{repo}}
**Branch:** {{branch}}
**Commit Range:** {{commit_range}}
### Summary
| Severity | Count |
|----------|-------|
| Critical | {{critical}} |
| High | {{high}} |
| Medium | {{medium}} |
| Low | {{low}} |
---
### Critical Findings
#### SECRET-001: AWS Access Key Exposed
**Severity:** Critical
**Type:** AWS Access Key ID
**Confidence:** High (pattern match)
**Location:**
- File: `src/config/aws.ts`
- Line: 12
- Commit: `abc1234`
- Author: `developer@example.com`
**Finding:**
```typescript
const AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE";
Git History:
Remediation:
const AWS_ACCESS_KEY = process.env.AWS_ACCESS_KEY_ID;
# Recommended additions
.env
.env.*
*.pem
*.key
config/local.*
secrets/
The following secrets exist in git history and should be rotated even after removal:
#!/bin/bash
# .git/hooks/pre-commit
echo "Running secret scan on staged files..."
# Run scan
if [ $? -ne 0 ]; then
echo "ERROR: Secrets detected in staged files!"
echo "Please remove secrets before committing."
exit 1
fi
---
## Allowlist Management
### Legitimate Exceptions
```yaml
# .secret-scan-allowlist.yml
allowed:
# Test/example keys (not real)
- pattern: "AKIAIOSFODNN7EXAMPLE"
reason: "AWS documentation example key"
# False positives
- file: "docs/examples/config.md"
reason: "Documentation with placeholder values"
# Encrypted secrets
- pattern: "ENC\\[.*\\]"
reason: "SOPS encrypted values"
# Block PR if secrets detected
secret-scan:
stage: security
script:
- run-secret-scan
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request"
allow_failure: false
#!/bin/bash
# Scan only staged changes
git diff --cached --name-only | xargs secret-scan
## Incident Response
### Immediate Actions (< 1 hour)
1. Assess scope and impact
2. Rotate/revoke exposed credentials
3. Check access logs for unauthorized use
4. Remove from code (create PR)
### Follow-up Actions (< 24 hours)
1. Clean git history if needed
2. Audit for related exposures
3. Update secret management practices
4. Add to pre-commit hooks
### Documentation
1. Create incident report
2. Update security runbook
3. Conduct team briefing
security-vulnerability-scan - General security scanningsecurity-compliance-check - Compliance verificationsecurity-dependency-audit - Dependency checkingjira-bug-managementThis skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.