Secret Scanner
Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.
When to Use This Skill
Use this skill when the user:
- Asks to "check for leaked secrets" or "scan for API keys"
- Wants to audit a repo or folder before committing or publishing
- Says "are there any hardcoded passwords in this code?"
- Asks to "find credentials" or "check for exposed tokens"
- Wants pre-commit or pre-publish security checks
- Mentions concern about accidentally checking in secrets
Capabilities
- Detect 40+ secret patterns including:
- AWS Access Keys, Secret Keys, Session Tokens
- Azure Storage Keys, Connection Strings, SAS Tokens
- GCP Service Account Keys, API Keys
- GitHub / GitLab / Bitbucket Personal Access Tokens
- OpenAI, Anthropic, Hugging Face API Keys
- Slack Bot Tokens, Webhooks
- Stripe, Twilio, SendGrid Keys
- Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)
- SSH Private Keys, PEM/PFX Certificates
- JWT Tokens, Bearer Tokens
- Generic passwords in config files (password=, secret=, token=)
- Scan individual files, directories, or entire repos recursively
- Ignore binary files, node_modules, .git, and other non-relevant paths
- Output results as Markdown report or JSON
- Provide severity ratings (Critical, High, Medium, Low)
- Suggest remediation for each finding
How to Scan
Scan a directory
python secret_scanner.py /path/to/project
Scan with JSON output
python secret_scanner.py /path/to/project --json
Scan and save report
python secret_scanner.py /path/to/project --output report.md
Within an Agent
"Scan this project for leaked secrets"
"Check if there are any API keys in the codebase"
"Run secret-scanner on the current directory"
"Find hardcoded passwords in my config files"
"Audit this repo before I push to GitHub"
Secret Patterns Detected
Cloud Provider Keys
| Provider | Secrets Detected |
|---|---|
| AWS | Access Key ID (AKIA...), Secret Access Key, Session Token |
| Azure | Storage Account Key, Connection String, SAS Token, Client Secret |
| GCP | API Key (AIza...), Service Account JSON, OAuth Client Secret |
AI / LLM Keys
| Service | Pattern |
|---|---|
| OpenAI | sk- prefixed API keys |
| Anthropic | sk-ant- prefixed keys |
| Hugging Face | hf_ prefixed tokens |
| Cohere | API keys in config |
Developer Platforms
| Platform | Secrets Detected |
|---|---|
| GitHub | ghp_, gho_, ghu_, ghs_, ghr_ tokens |
| GitLab | glpat- tokens |
| Slack | xoxb-, xoxp-, xoxs- tokens, webhook URLs |
| Stripe | sk_live_, sk_test_, rk_live_ keys |
| Twilio | Account SID, Auth Token |
| SendGrid | SG. prefixed API keys |
Databases & Infrastructure
| Type | Pattern |
|---|---|
| MongoDB | mongodb:// or mongodb+srv:// with credentials |
| PostgreSQL | postgresql:// with embedded password |
| MySQL | mysql:// with embedded password |
| Redis | redis:// with password |
| SSH | -----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY----- |
| Certificates | PEM, PFX, P12 with embedded keys |
Generic Patterns
| Pattern | Description |
|---|---|
| password= | Hardcoded passwords in config/env files |
| secret= | Hardcoded secrets |
| token= | Hardcoded tokens |
| Bearer | Bearer tokens in code |
| Basic Auth | Base64-encoded basic auth headers |
| JWT | eyJ prefixed JWT tokens |
| High Entropy | Long random strings that look like secrets |
Severity Levels
| Severity | Description | Examples |
|---|---|---|
| 🔴 Critical | Active production credentials | AWS Secret Key, Private Keys, DB passwords |
| 🟠 High | Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key |
| 🟡 Medium | Keys that may be test/dev | Test API keys, example tokens |
| 🟢 Low | Potential false positives | Generic password= in comments, placeholder values |
Files Scanned
Scans these file types by default:
- Source code:
.py,.js,.ts,.java,.go,.rb,.php,.cs,.rs - Config:
.json,.yaml,.yml,.toml,.ini,.cfg,.conf - Environment:
.env,.env.local,.env.production - Shell:
.sh,.bash,.zsh,.ps1 - Docs:
.md,.txt - Other:
Dockerfile,docker-compose.yml,Makefile
Ignored Paths
Automatically skips:
node_modules/,vendor/,venv/,.venv/.git/,.svn/__pycache__/,.pytest_cache/- Binary files, images, compiled outputs
package-lock.json,yarn.lock
Remediation Guidance
When secrets are found, the skill recommends:
- Rotate the secret immediately — assume it's compromised
- Remove from code — use environment variables or a secrets manager instead
- Add to .gitignore — prevent
.envand credential files from being committed - Use git-filter-repo — to remove secrets from git history
- Enable pre-commit hooks — to catch secrets before they're committed
Requirements
- Python 3.7+
- No additional dependencies (uses Python standard library)
Entry Point
- CLI:
secret_scanner.py
Tags
#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops