Secrets Scan

Deep detection of hardcoded credentials and sensitive data in source code.

Quick Start

/secrets-scan # Scan current directory /secrets-scan --scope src/ # Scan specific path /secrets-scan --entropy # Include high-entropy detection /secrets-scan --git-history # Check git commit history

What This Skill Detects

High-Confidence Patterns

Patterns with very low false positive rates:

Type Pattern Example Provider

AWS Access Key AKIA... (20 chars) AWS

AWS Secret Key 40 char base64 AWS

GitHub Token ghp_ , gho_ , ghu_ , ghs_ , ghr_

GitHub

GitLab Token glpat-...

GitLab

Slack Token xoxb- , xoxp- , xoxa-

Slack

Stripe Key sk_live_ , rk_live_

Stripe

Twilio SK... (34 chars) Twilio

SendGrid SG. followed by base64 SendGrid

Private Key -----BEGIN (RSA|EC|DSA)?PRIVATE KEY-----

Various

Google API Key AIza... (39 chars) Google

Medium-Confidence Patterns

May require context validation:

Type Pattern Notes

Generic API Key api[_-]?key.=.['"][a-zA-Z0-9]{16,}

Variable names

Generic Secret secret.=.['"][^'"]+

Context needed

Password password.=.['"][^'"]+

May be config

Connection String ://[^:]+:[^@]+@

DB credentials

Bearer Token Bearer [a-zA-Z0-9_-]+

In headers/code

High-Entropy Detection

Finds potential secrets via entropy analysis:

/secrets-scan --entropy

Detects strings with high randomness that may be:

• Base64-encoded secrets

• Hex-encoded tokens

• Custom API key formats

Detection Patterns

Cloud Provider Keys

AWS

AKIA[0-9A-Z]{16} # Access Key ID [A-Za-z0-9/+=]{40} # Secret Access Key (context needed)

Azure

[a-zA-Z0-9+/=]{88} # Storage Account Key

GCP

AIza[0-9A-Za-z_-]{35} # API Key [0-9]+-[a-z0-9]{32}.apps.googleusercontent.com # OAuth Client

Version Control Tokens

GitHub

gh[pousr][A-Za-z0-9]{36,} # Personal/OAuth/User/Repo/App github_pat[A-Za-z0-9]{22}_[A-Za-z0-9]{59} # Fine-grained PAT

GitLab

glpat-[A-Za-z0-9-_]{20,} # Personal Access Token

Bitbucket

[a-zA-Z0-9]{24} # App Password (context needed)

Payment & Finance

Stripe

sk_live_[a-zA-Z0-9]{24,} # Secret Key rk_live_[a-zA-Z0-9]{24,} # Restricted Key pk_live_[a-zA-Z0-9]{24,} # Publishable Key

Square

sq0[a-z]{3}-[A-Za-z0-9_-]{22,} # Access Token

PayPal

access_token$[a-zA-Z0-9-_.]+ # OAuth Token

Communication Services

Slack

xox[bpas]-[0-9]{10,}-[a-zA-Z0-9]{24,} # Bot/User/App Token

Twilio

SK[a-f0-9]{32} # API Key SID [a-f0-9]{32} # Auth Token (context)

SendGrid

SG.[a-zA-Z0-9_-]{22}.[a-zA-Z0-9_-]{43} # API Key

Database Connection Strings

PostgreSQL/MySQL

(postgres|mysql|mariadb)://[^:]+:[^@]+@[^/]+/\w+

MongoDB

mongodb(+srv)?://[^:]+:[^@]+@

Redis

redis://:[^@]+@

Private Keys

-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY----- -----BEGIN PGP PRIVATE KEY BLOCK-----

JWT & Session

eyJ[A-Za-z0-9_-]+.eyJ[A-Za-z0-9_-]+.[A-Za-z0-9_-]+ # JWT

Scan Options

Basic Scan

/secrets-scan

Scans for high-confidence patterns only.

With Entropy Analysis

/secrets-scan --entropy

Adds high-entropy string detection (more findings, some false positives).

Specific Scope

/secrets-scan --scope src/api/ /secrets-scan --scope "*.ts"

Git History Scan

/secrets-scan --git-history /secrets-scan --git-history --since "2024-01-01"

Scans commit history for secrets that were committed and later removed.

Exclude Patterns

/secrets-scan --exclude "*.test.ts" --exclude "fixtures/"

Output Format

Finding Report

SECRETS SCAN RESULTS

High-Confidence Findings: 2 Medium-Confidence Findings: 5 Entropy Findings: 3

[!] CRITICAL: AWS Access Key File: src/config/aws.ts:15 Pattern: AKIAIOSFODNN7EXAMPLE Action: Rotate immediately, check CloudTrail

[!] CRITICAL: GitHub Token File: .env.example:8 Pattern: ghp_xxxx...xxxx (redacted) Action: Revoke token, remove from history

[H] HIGH: Database Password File: docker-compose.yml:23 Pattern: password: supersecret Action: Use environment variable

[M] MEDIUM: Possible API Key File: src/services/api.ts:44 Pattern: apiKey = "a1b2c3..." Context: May be test value

Summary Statistics

Files scanned: 342 Patterns checked: 127 Time elapsed: 2.3s

By Severity: Critical: 2 High: 5 Medium: 8

By Type: Cloud credentials: 2 API keys: 4 Passwords: 3 Private keys: 1 Other: 5

False Positive Handling

Common False Positives

Example/placeholder values

• AKIAIOSFODNN7EXAMPLE (AWS example)

• sk_test_... (Stripe test key)

• your-api-key-here

Test fixtures

• Mock credentials in test files

• Fixture data

Documentation

• README examples

• API documentation

Ignore File

Create .secrets-scan-ignore :

Ignore test fixtures

/fixtures/ /mocks/ *.test.ts *.spec.js

Ignore documentation

docs/** *.md

Ignore specific false positives

src/constants.ts:EXAMPLE_KEY

Inline ignore comment

secrets-scan-ignore: test fixture

Inline Ignore

// secrets-scan-ignore: example value const EXAMPLE_KEY = "AKIAIOSFODNN7EXAMPLE";

Remediation Steps

When Secrets Are Found

Immediate Actions

• Rotate the credential immediately

• Check access logs for unauthorized use

• Remove from code/config

Clean Git History

Remove secret from history

git filter-branch --force --index-filter
'git rm --cached --ignore-unmatch path/to/file'
--prune-empty --tag-name-filter cat -- --all

Or use BFG Repo Cleaner

bfg --replace-text secrets.txt repo.git

Prevent Future Commits

• Add pre-commit hooks

• Configure secret scanning in CI

Prevention

Install pre-commit hook

npx husky add .husky/pre-commit "npx secrets-scan --staged"

Integration

CI/CD Pipeline

GitHub Actions

• name: Secrets Scan run: | /secrets-scan --fail-on-findings exit $?

Exit codes:

0 = No findings

1 = Findings detected

2 = Error during scan

Pre-Commit Hook

#!/bin/sh

.husky/pre-commit

files=$(git diff --cached --name-only) /secrets-scan --files "$files"

Related Skills

• /security-scan

• Full security analysis

• /config-scan

• Configuration security

• /dependency-scan

• Package vulnerabilities