secret-scanner
Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret patterns across all major cloud providers and services.
Best use case
secret-scanner is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret patterns across all major cloud providers and services.
Teams using secret-scanner should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/secret-scanner/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How secret-scanner Compares
| Feature / Agent | secret-scanner | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret patterns across all major cloud providers and services.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Secret Scanner Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials. ## When to Use This Skill Use this skill when the user: - Asks to "check for leaked secrets" or "scan for API keys" - Wants to audit a repo or folder before committing or publishing - Says "are there any hardcoded passwords in this code?" - Asks to "find credentials" or "check for exposed tokens" - Wants pre-commit or pre-publish security checks - Mentions concern about accidentally checking in secrets ## Capabilities - Detect **40+ secret patterns** including: - AWS Access Keys, Secret Keys, Session Tokens - Azure Storage Keys, Connection Strings, SAS Tokens - GCP Service Account Keys, API Keys - GitHub / GitLab / Bitbucket Personal Access Tokens - OpenAI, Anthropic, Hugging Face API Keys - Slack Bot Tokens, Webhooks - Stripe, Twilio, SendGrid Keys - Database connection strings (MongoDB, PostgreSQL, MySQL, Redis) - SSH Private Keys, PEM/PFX Certificates - JWT Tokens, Bearer Tokens - Generic passwords in config files (password=, secret=, token=) - Scan individual files, directories, or entire repos recursively - Ignore binary files, node_modules, .git, and other non-relevant paths - Output results as Markdown report or JSON - Provide severity ratings (Critical, High, Medium, Low) - Suggest remediation for each finding ## How to Scan ### Scan a directory ```bash python secret_scanner.py /path/to/project ``` ### Scan with JSON output ```bash python secret_scanner.py /path/to/project --json ``` ### Scan and save report ```bash python secret_scanner.py /path/to/project --output report.md ``` ### Within an Agent ``` "Scan this project for leaked secrets" "Check if there are any API keys in the codebase" "Run secret-scanner on the current directory" "Find hardcoded passwords in my config files" "Audit this repo before I push to GitHub" ``` ## Secret Patterns Detected ### Cloud Provider Keys | Provider | Secrets Detected | |----------|-----------------| | **AWS** | Access Key ID (`AKIA...`), Secret Access Key, Session Token | | **Azure** | Storage Account Key, Connection String, SAS Token, Client Secret | | **GCP** | API Key (`AIza...`), Service Account JSON, OAuth Client Secret | ### AI / LLM Keys | Service | Pattern | |---------|---------| | **OpenAI** | `sk-` prefixed API keys | | **Anthropic** | `sk-ant-` prefixed keys | | **Hugging Face** | `hf_` prefixed tokens | | **Cohere** | API keys in config | ### Developer Platforms | Platform | Secrets Detected | |----------|-----------------| | **GitHub** | `ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_` tokens | | **GitLab** | `glpat-` tokens | | **Slack** | `xoxb-`, `xoxp-`, `xoxs-` tokens, webhook URLs | | **Stripe** | `sk_live_`, `sk_test_`, `rk_live_` keys | | **Twilio** | Account SID, Auth Token | | **SendGrid** | `SG.` prefixed API keys | ### Databases & Infrastructure | Type | Pattern | |------|---------| | **MongoDB** | `mongodb://` or `mongodb+srv://` with credentials | | **PostgreSQL** | `postgresql://` with embedded password | | **MySQL** | `mysql://` with embedded password | | **Redis** | `redis://` with password | | **SSH** | `-----BEGIN (RSA\|EC\|OPENSSH) PRIVATE KEY-----` | | **Certificates** | PEM, PFX, P12 with embedded keys | ### Generic Patterns | Pattern | Description | |---------|-------------| | **password=** | Hardcoded passwords in config/env files | | **secret=** | Hardcoded secrets | | **token=** | Hardcoded tokens | | **Bearer** | Bearer tokens in code | | **Basic Auth** | Base64-encoded basic auth headers | | **JWT** | `eyJ` prefixed JWT tokens | | **High Entropy** | Long random strings that look like secrets | ## Severity Levels | Severity | Description | Examples | |----------|-------------|----------| | 🔴 **Critical** | Active production credentials | AWS Secret Key, Private Keys, DB passwords | | 🟠 **High** | Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key | | 🟡 **Medium** | Keys that may be test/dev | Test API keys, example tokens | | 🟢 **Low** | Potential false positives | Generic password= in comments, placeholder values | ## Files Scanned Scans these file types by default: - Source code: `.py`, `.js`, `.ts`, `.java`, `.go`, `.rb`, `.php`, `.cs`, `.rs` - Config: `.json`, `.yaml`, `.yml`, `.toml`, `.ini`, `.cfg`, `.conf` - Environment: `.env`, `.env.local`, `.env.production` - Shell: `.sh`, `.bash`, `.zsh`, `.ps1` - Docs: `.md`, `.txt` - Other: `Dockerfile`, `docker-compose.yml`, `Makefile` ## Ignored Paths Automatically skips: - `node_modules/`, `vendor/`, `venv/`, `.venv/` - `.git/`, `.svn/` - `__pycache__/`, `.pytest_cache/` - Binary files, images, compiled outputs - `package-lock.json`, `yarn.lock` ## Remediation Guidance When secrets are found, the skill recommends: 1. **Rotate the secret immediately** — assume it's compromised 2. **Remove from code** — use environment variables or a secrets manager instead 3. **Add to .gitignore** — prevent `.env` and credential files from being committed 4. **Use git-filter-repo** — to remove secrets from git history 5. **Enable pre-commit hooks** — to catch secrets before they're committed ## Requirements - Python 3.7+ - No additional dependencies (uses Python standard library) ## Entry Point - **CLI:** `secret_scanner.py` ## Tags #security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops
Related Skills
secret-detection-scanner
Detect secrets, credentials, and sensitive data in code and configurations. Scan git history for secrets, detect API keys, tokens, passwords, check environment files, monitor CI/CD logs for exposure, generate remediation steps, and track secret rotation status.
azure-security-keyvault-secrets-java
Azure Key Vault Secrets Java SDK for secret management. Use when storing, retrieving, or managing passwords, API keys, connection strings, or other sensitive configuration data.
azure-keyvault-secrets-ts
Manage secrets using Azure Key Vault Secrets SDK for JavaScript (@azure/keyvault-secrets). Use when storing and retrieving application secrets or configuration values.
deleting-op-secrets
Deletes or archives secrets in 1Password using the op CLI. Use when the user needs to permanently remove items, archive deprecated credentials, or clean up unused secrets from 1Password vaults. Supports both permanent deletion and archiving for later recovery.
who_dis_network_scanner
AI 驅動的本地網絡掃描器與安全分析工具 (Local Network Scanner and AI Security Analyzer)
agentuity-cli-cloud-secret-set
Set a secret. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-secret-push
Push secrets from local .env file to cloud. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-secret-list
List all secrets. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-secret-import
Import secrets from a file to cloud and local .env. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-secret-get
Get a secret value. Requires authentication. Use for Agentuity cloud platform operations
agentuity-cli-cloud-secret-delete
Delete a secret. Requires authentication. Use for Agentuity cloud platform operations
bgo
Automates the complete Blender build-go workflow, from building and packaging your extension/add-on to removing old versions, installing, enabling, and launching Blender for quick testing and iteration.