secrets-detector

Scan for secrets using gitleaks:

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "secrets-detector" with this command: npx skills add armanzeroeight/fastagent-plugins/armanzeroeight-fastagent-plugins-secrets-detector

Secrets Detector

Quick Start

Scan for secrets using gitleaks:

Install

brew install gitleaks # macOS

or

pip install detect-secrets

Scan current directory

gitleaks detect --source .

Instructions

Step 1: Choose Detection Tool

Gitleaks (recommended):

gitleaks detect --source . --verbose

detect-secrets:

detect-secrets scan . --all-files

Manual grep patterns:

grep -rn "AKIA[0-9A-Z]{16}" . # AWS Access Key grep -rn "ghp_[a-zA-Z0-9]{36}" . # GitHub Token

Step 2: Scan for Common Patterns

Secret Type Pattern Example

AWS Access Key AKIA[0-9A-Z]{16}

AKIAIOSFODNN7EXAMPLE

AWS Secret Key [A-Za-z0-9/+=]{40}

wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

GitHub Token ghp_[a-zA-Z0-9]{36}

ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

GitHub OAuth gho_[a-zA-Z0-9]{36}

gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Slack Token xox[baprs]-[0-9a-zA-Z-]+

xoxb-123456789-abcdefghij

Private Key -----BEGIN.*PRIVATE KEY-----

RSA/EC private keys

Generic API Key api[_-]?key.=.['"][a-zA-Z0-9]{20,}

api_key = "abc123..."

Generic Password password.=.['"][^'"]+['"]

password = "secret123"

Step 3: Check Git History

Secrets may exist in git history even if removed:

Scan entire git history

gitleaks detect --source . --log-opts="--all"

Check specific commits

git log -p --all -S 'password' --source

Step 4: Categorize Findings

Critical - Immediate rotation required:

  • Cloud provider credentials (AWS, GCP, Azure)

  • Database connection strings

  • Private keys

High - Rotate soon:

  • API keys for external services

  • OAuth tokens

  • Webhook secrets

Medium - Review and rotate:

  • Internal service tokens

  • Test credentials that might be reused

Step 5: Report Findings

Secrets Detection Report

Critical (1)

  1. AWS Secret Key - config/aws.js:12
    • Type: AWS credentials
    • Action: Rotate immediately in AWS console

High (2)

  1. GitHub Token - scripts/deploy.sh:45

    • Type: Personal access token
    • Action: Revoke and regenerate

  2. Slack Webhook - src/notifications.js:23

    • Type: Incoming webhook URL
    • Action: Regenerate webhook

Prevention

Pre-commit Hook

.pre-commit-config.yaml

repos:

.gitignore Patterns

Environment files

.env .env.local .env.*.local

Key files

*.pem *.key *_rsa *_ecdsa *_ed25519

Config with secrets

config/secrets.yml credentials.json

Environment Variables

Move secrets to environment variables:

// BAD const apiKey = "sk-abc123...";

// GOOD const apiKey = process.env.API_KEY;

Common False Positives

  • Example/placeholder values in documentation

  • Test fixtures with fake credentials

  • Base64-encoded non-secret data

  • Hash values (SHA, MD5)

Review each finding to confirm it's a real secret before taking action.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

gcp-cost-optimizer

No summary provided by upstream source.

Repository SourceNeeds Review
-11
armanzeroeight
Automation

schema-designer

No summary provided by upstream source.

Repository SourceNeeds Review
-8
armanzeroeight
Automation

terraform-state-manager

No summary provided by upstream source.

Repository SourceNeeds Review
-7
armanzeroeight