scan-secrets
Scan codebase for hardcoded secrets, API keys, credentials, and sensitive data
From securitynpx claudepluginhub melodic-software/claude-code-plugins --plugin securityThis skill is limited to using the following tools:
Scan Secrets Command
Scan code for hardcoded secrets, API keys, tokens, and credentials.
Usage
/security:scan-secrets # Scan current directory
/security:scan-secrets src/ # Scan specific directory
/security:scan-secrets --all # Scan entire repository
/security:scan-secrets --staged # Scan staged git changes only
Execution
Delegate to the secrets-scanner agent with the following prompt:
If no arguments provided: "Scan the current working directory for hardcoded secrets, API keys, credentials, tokens, and sensitive data patterns. Report findings with severity classification, file locations, and remediation guidance. Validate findings to minimize false positives."
If --all argument:
"Scan the entire repository for hardcoded secrets, API keys, credentials, tokens, and sensitive data patterns. Exclude common false positive locations (node_modules, vendor, .git). Report findings with severity classification, file locations, and remediation guidance."
If --staged argument:
"Scan staged git changes (git diff --staged) for hardcoded secrets, API keys, credentials, tokens, and sensitive data patterns. This is a pre-commit check. Report findings with severity classification and remediation guidance."
If path specified: "Scan $ARGUMENTS for hardcoded secrets, API keys, credentials, tokens, and sensitive data patterns. Report findings with severity classification, file locations, and remediation guidance. Validate findings to minimize false positives."
Output
The secrets-scanner agent produces a report including:
- Summary of findings by severity
- Each finding with file, line, pattern type, and confidence
- Remediation steps (rotate credential, move to environment variable, etc.)
- False positive analysis where applicable