secret-detection-scanner
Detect secrets, credentials, and sensitive data in code and configurations. Scan git history for secrets, detect API keys, tokens, passwords, check environment files, monitor CI/CD logs for exposure, generate remediation steps, and track secret rotation status.
Best use case
secret-detection-scanner is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect secrets, credentials, and sensitive data in code and configurations. Scan git history for secrets, detect API keys, tokens, passwords, check environment files, monitor CI/CD logs for exposure, generate remediation steps, and track secret rotation status.
Teams using secret-detection-scanner should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/secret-detection-scanner/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How secret-detection-scanner Compares
| Feature / Agent | secret-detection-scanner | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect secrets, credentials, and sensitive data in code and configurations. Scan git history for secrets, detect API keys, tokens, passwords, check environment files, monitor CI/CD logs for exposure, generate remediation steps, and track secret rotation status.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# secret-detection-scanner
You are **secret-detection-scanner** - a specialized skill for detecting secrets, credentials, and sensitive data in code, configurations, and git history. This skill provides comprehensive capabilities for preventing secret exposure and managing credential security.
## Overview
This skill enables AI-powered secret detection including:
- Gitleaks secret scanning in code and git history
- TruffleHog deep commit scanning
- detect-secrets baseline management
- API key, token, and password detection
- Pre-commit hook integration
- CI/CD pipeline secret monitoring
- Remediation guidance and rotation tracking
## Prerequisites
- Git repository to scan
- CLI tools: gitleaks, trufflehog, detect-secrets (as needed)
- Git for history scanning
- Pre-commit framework (optional)
## Capabilities
### 1. Gitleaks Secret Scanning
Fast and comprehensive secret detection:
```bash
# Scan current directory
gitleaks detect --source . --report-format json --report-path gitleaks-report.json
# Scan with verbose output
gitleaks detect --source . -v --report-format json --report-path gitleaks-report.json
# Scan git history
gitleaks detect --source . --log-opts="--all" --report-format json
# Scan specific commits
gitleaks detect --source . --log-opts="HEAD~10..HEAD" --report-format json
# Scan with custom config
gitleaks detect --source . --config .gitleaks.toml --report-format json
# Scan staged files only (pre-commit)
gitleaks protect --source . --staged --report-format json
# Scan specific branch
gitleaks detect --source . --log-opts="origin/main..HEAD" --report-format json
# Generate SARIF output for GitHub
gitleaks detect --source . --report-format sarif --report-path gitleaks.sarif
```
#### Gitleaks Configuration
```toml
# .gitleaks.toml
[extend]
useDefault = true
[allowlist]
description = "Global allowlist"
paths = [
'''\.gitleaks\.toml$''',
'''(.*?)(test|spec|mock)(.*)''',
'''vendor/''',
'''node_modules/''',
]
# Custom rule for internal API keys
[[rules]]
id = "internal-api-key"
description = "Internal API Key"
regex = '''INTERNAL_API_KEY\s*=\s*['"]([a-zA-Z0-9]{32})['"]'''
tags = ["internal", "api-key"]
keywords = ["INTERNAL_API_KEY"]
# Allowlist specific findings
[[rules.allowlist]]
regexes = ['''test-api-key-12345''']
```
### 2. TruffleHog Deep Scanning
Comprehensive entropy and pattern-based detection:
```bash
# Scan filesystem
trufflehog filesystem . --json > trufflehog-results.json
# Scan git repository
trufflehog git file://. --json > trufflehog-git.json
# Scan remote git repository
trufflehog git https://github.com/org/repo.git --json
# Scan specific branch
trufflehog git file://. --branch main --json
# Scan with only verified results
trufflehog git file://. --only-verified --json
# Scan GitHub organization
trufflehog github --org myorg --json
# Scan S3 bucket
trufflehog s3 --bucket mybucket --json
# Include archived repos
trufflehog github --org myorg --include-archived --json
```
#### TruffleHog Detectors
| Category | Secrets Detected |
|----------|------------------|
| Cloud Providers | AWS, GCP, Azure credentials |
| Version Control | GitHub, GitLab tokens |
| Communication | Slack, Discord, Twilio |
| Payment | Stripe, PayPal, Square |
| Database | MongoDB, PostgreSQL, Redis |
| AI/ML | OpenAI, Anthropic, HuggingFace |
| General | Private keys, JWT, OAuth |
### 3. detect-secrets Baseline Management
Baseline-driven secret detection with audit trail:
```bash
# Create baseline
detect-secrets scan > .secrets.baseline
# Scan with existing baseline
detect-secrets scan --baseline .secrets.baseline
# Audit baseline (interactive)
detect-secrets audit .secrets.baseline
# Update baseline
detect-secrets scan --baseline .secrets.baseline --update
# Scan specific files
detect-secrets scan src/ tests/ --baseline .secrets.baseline
# Use specific plugins
detect-secrets scan --list-all-plugins
detect-secrets scan --no-keyword-scan --no-base64-string-scan
```
#### Baseline File Schema
```json
{
"version": "1.4.0",
"plugins_used": [
{"name": "AWSKeyDetector"},
{"name": "ArtifactoryDetector"},
{"name": "Base64HighEntropyString", "limit": 4.5},
{"name": "BasicAuthDetector"},
{"name": "PrivateKeyDetector"}
],
"filters_used": [
{"path": "detect_secrets.filters.allowlist.is_line_allowlisted"},
{"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies"}
],
"results": {
"config/settings.py": [
{
"type": "Secret Keyword",
"filename": "config/settings.py",
"hashed_secret": "abc123...",
"is_verified": false,
"line_number": 42
}
]
}
}
```
### 4. Pre-commit Integration
```yaml
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.63.0
hooks:
- id: trufflehog
```
Install and run:
```bash
# Install pre-commit
pip install pre-commit
# Install hooks
pre-commit install
# Run manually on all files
pre-commit run --all-files
```
### 5. CI/CD Integration
#### GitHub Actions
```yaml
name: Secret Scan
on: [push, pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
trufflehog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
```
#### GitLab CI
```yaml
secret-scan:
image: zricethezav/gitleaks:latest
script:
- gitleaks detect --source . --report-format json --report-path gitleaks-report.json
artifacts:
reports:
secret_detection: gitleaks-report.json
```
### 6. Secret Categories and Patterns
| Category | Examples | Risk Level |
|----------|----------|------------|
| Cloud Credentials | AWS_SECRET_ACCESS_KEY, GCP service account | Critical |
| API Keys | OpenAI, Stripe, SendGrid | High |
| Database | Connection strings, passwords | Critical |
| Private Keys | RSA, SSH, PGP | Critical |
| OAuth/JWT | Bearer tokens, refresh tokens | High |
| Internal | Internal API keys, service tokens | Medium |
| Generic | High-entropy strings | Low-Medium |
### 7. Remediation Workflow
When a secret is detected:
```bash
# 1. Identify affected commits
gitleaks detect --source . --log-opts="--all" -v
# 2. Revoke the secret immediately
# (Provider-specific - AWS console, GitHub settings, etc.)
# 3. Remove from git history (if needed)
# Option A: BFG Repo Cleaner
bfg --delete-files secrets.txt
bfg --replace-text passwords.txt
# Option B: git filter-repo
git filter-repo --path secrets.txt --invert-paths
# 4. Force push (with team coordination)
git push origin --force --all
# 5. Generate new credentials
# (Provider-specific)
# 6. Update deployment
# Update environment variables, secrets managers, etc.
# 7. Add to allowlist if false positive
# Update .gitleaks.toml or .secrets.baseline
```
### 8. Secret Rotation Tracking
```json
{
"secrets_inventory": [
{
"id": "aws-prod-key",
"type": "AWS_ACCESS_KEY",
"environment": "production",
"created_at": "2025-07-01T00:00:00Z",
"last_rotated": "2025-12-01T00:00:00Z",
"rotation_policy_days": 90,
"next_rotation": "2026-03-01T00:00:00Z",
"status": "valid",
"storage": "AWS Secrets Manager"
}
],
"rotation_schedule": {
"critical": 30,
"high": 60,
"medium": 90,
"low": 180
}
}
```
## MCP Server Integration
This skill can leverage the following MCP servers:
| Server | Description | Installation |
|--------|-------------|--------------|
| sast-mcp | TruffleHog, Gitleaks integration | [GitHub](https://github.com/Sengtocxoen/sast-mcp) |
| SecOpsAgentKit secrets-gitleaks | Gitleaks credential detection | [GitHub](https://github.com/AgentSecOps/SecOpsAgentKit) |
| Offensive-MCP-AI | DevSecOps secret detection | [GitHub](https://github.com/cybersecurityup/offensive-mcp-ai) |
## Best Practices
### Prevention
1. **Pre-commit hooks** - Block secrets before commit
2. **Environment variables** - Never hardcode secrets
3. **Secret managers** - Use Vault, AWS Secrets Manager, etc.
4. **.gitignore** - Exclude sensitive files
5. **Education** - Train developers on secure practices
### Detection
1. **Scan regularly** - Daily/weekly full scans
2. **CI/CD integration** - Scan on every PR
3. **Git history** - Don't forget historical commits
4. **Multiple tools** - Different tools catch different patterns
5. **Baseline management** - Track known false positives
### Response
1. **Immediate revocation** - Rotate exposed secrets
2. **Audit impact** - Check for unauthorized access
3. **Clean history** - Remove from git if needed
4. **Document** - Track incidents for compliance
## Process Integration
This skill integrates with the following processes:
- `secret-management.js` - Overall secret lifecycle
- `devsecops-pipeline.js` - DevSecOps automation
- `sast-pipeline.js` - SAST integration
- `incident-response.js` - Security incident handling
## Output Format
When executing operations, provide structured output:
```json
{
"operation": "secret-scan",
"status": "completed",
"scan_type": "full-history",
"tools_used": ["gitleaks", "trufflehog"],
"scan_duration_seconds": 45,
"summary": {
"total_findings": 12,
"by_severity": {
"critical": 2,
"high": 5,
"medium": 3,
"low": 2
},
"by_type": {
"AWS_ACCESS_KEY": 1,
"GITHUB_TOKEN": 2,
"GENERIC_API_KEY": 5,
"PRIVATE_KEY": 1,
"HIGH_ENTROPY": 3
},
"verified": 3,
"unverified": 9
},
"critical_findings": [
{
"type": "AWS_ACCESS_KEY",
"file": "config/aws.py",
"line": 15,
"commit": "abc123",
"author": "dev@example.com",
"date": "2025-06-15",
"verified": true,
"redacted_value": "AKIA***************",
"remediation": "Rotate AWS access key immediately via IAM console"
}
],
"artifacts": ["gitleaks-report.json", "trufflehog-results.json"]
}
```
## Error Handling
### Common Issues
| Error | Cause | Resolution |
|-------|-------|------------|
| `No git repository` | Not in git repo | Initialize or specify path |
| `Baseline mismatch` | Outdated baseline | Update baseline file |
| `Too many findings` | No exclusions | Configure allowlists |
| `Verification failed` | Network/API issues | Check connectivity |
## Constraints
- Never log or display actual secret values
- Always redact findings in reports
- Coordinate with teams before history rewrites
- Document all remediation actions
- Track rotation schedules for complianceRelated Skills
secret-scanner
Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret patterns across all major cloud providers and services.
portfolio-risk-drift-detection
Detect and explain risk drift in lending portfolios over time using vintage analysis, migration matrices, and concentration metrics. Use when monitoring portfolio credit quality trends, preparing board risk reports, conducting stress testing, or when risk metrics deviate from appetite thresholds.
platform-detection
Detect project type and recommend deployment platform. Use when deploying projects, choosing hosting platforms, analyzing project structure, or when user mentions deployment, platform selection, MCP servers, APIs, frontend apps, static sites, FastMCP Cloud, DigitalOcean, Vercel, Hostinger, Netlify, or Cloudflare.
pattern-detection
Identify existing codebase patterns (naming conventions, architectural patterns, testing patterns) to maintain consistency. Use when generating code, reviewing changes, or understanding established practices. Ensures new code aligns with project conventions.
nested-TAD-detection
This skill detects hierarchical (nested) TAD structures from Hi-C contact maps (in .cool or mcool format) using OnTAD, starting from multi-resolution .mcool files. It extracts a user-specified chromosome and resolution, converts the data to a dense matrix, runs OnTAD, and organizes TAD calls and logs for downstream 3D genome analysis.
N+1 Query Detection
Detect N+1 query patterns in GORM repository and service code — identify loops that execute queries, missing preloads, and unbounded fetches
context-detection
Automatically detect project tech stack, frameworks, and development context
azure-security-keyvault-secrets-java
Azure Key Vault Secrets Java SDK for secret management. Use when storing, retrieving, or managing passwords, API keys, connection strings, or other sensitive configuration data.
azure-keyvault-secrets-ts
Manage secrets using Azure Key Vault Secrets SDK for JavaScript (@azure/keyvault-secrets). Use when storing and retrieving application secrets or configuration values.
ai-problems-detection
Protocolo de autodiagnostico contra os 5 problemas mais comuns da IA ao programar. Detecta overengineering, codigo duplicado, reinvencao da roda, falta de documentacao e arquivos monoliticos. Use SEMPRE antes de implementar, ao planejar mudancas, quando criar funcoes novas, ao escrever codigo, para revisar implementacoes. Palavras-chave - simples, duplicado, repetido, existe, separar, modular, documentacao, complexo, refatorar, engenharia demais, roda, reutilizar.
ai-pattern-detection
Detects AI-generated writing patterns and suggests authentic alternatives. Auto-applies when reviewing content, editing documents, generating text, or when user mentions writing quality, AI detection, authenticity, or natural voice.
moai-alfred-language-detection
Auto-detects project language and framework from package.json, pyproject.toml, etc.