scanning-for-secrets
Detect exposed secrets, API keys, and credentials in code. Use when auditing for secret leaks. Trigger with 'scan for secrets', 'find exposed keys', or 'check credentials'.
Best use case
scanning-for-secrets is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect exposed secrets, API keys, and credentials in code. Use when auditing for secret leaks. Trigger with 'scan for secrets', 'find exposed keys', or 'check credentials'.
Teams using scanning-for-secrets should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/scanning-for-secrets/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How scanning-for-secrets Compares
| Feature / Agent | scanning-for-secrets | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect exposed secrets, API keys, and credentials in code. Use when auditing for secret leaks. Trigger with 'scan for secrets', 'find exposed keys', or 'check credentials'.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Secret Scanner
Detect exposed API keys, passwords, tokens, and private keys in source code using pattern matching and entropy analysis, with remediation guidance for each finding.
## Overview
scan your codebase for exposed secrets, API keys, passwords, and other sensitive credentials. It helps you identify and remediate potential security vulnerabilities before they are committed or deployed.
## How It Works
1. **Initiate Scan**: Claude activates the `secret-scanner` plugin.
2. **Codebase Analysis**: The plugin scans the codebase using pattern matching and entropy analysis.
3. **Report Generation**: A detailed report is generated, highlighting identified secrets, their locations, and suggested remediation steps.
## When to Use This Skill
This skill activates when you need to:
- Scan your codebase for exposed API keys (e.g., AWS, Google, Azure).
- Check for hardcoded passwords in configuration files.
- Identify potential private keys (SSH, PGP) accidentally committed to the repository.
- Proactively find secrets before committing changes.
## Examples
### Example 1: Identifying Exposed AWS Keys
User request: "Scan for AWS keys in the codebase"
The skill will:
1. Activate the `secret-scanner` plugin.
2. Scan the codebase for patterns matching AWS Access Keys (AKIA[0-9A-Z]{16}).
3. Generate a report listing any found keys, their file locations, and remediation steps (e.g., revoking the key).
### Example 2: Checking for Hardcoded Passwords
User request: "Check for exposed credentials in config files"
The skill will:
1. Activate the `secret-scanner` plugin.
2. Scan configuration files (e.g., `database.yml`, `.env`) for password patterns.
3. Generate a report detailing any found passwords and suggesting the use of environment variables.
## Best Practices
- **Regular Scanning**: Schedule regular scans to catch newly introduced secrets.
- **Pre-Commit Hooks**: Integrate the `secret-scanner` into your pre-commit hooks to prevent committing secrets.
- **Review Entropy Analysis**: Carefully review results from entropy analysis, as they may indicate potential secrets not caught by pattern matching.
## Integration
This skill can be integrated with other security tools, such as vulnerability scanners, to provide a comprehensive security assessment of your codebase. It can also be combined with notification plugins to alert you when new secrets are detected.
## Prerequisites
- Access to codebase and configuration files in ${CLAUDE_SKILL_DIR}/
- Security scanning tools installed as needed
- Understanding of security standards and best practices
- Permissions for security analysis operations
## Instructions
1. Identify security scan scope and targets
2. Configure scanning parameters and thresholds
3. Execute security analysis systematically
4. Analyze findings for vulnerabilities and compliance gaps
5. Prioritize issues by severity and impact
6. Generate detailed security report with remediation steps
## Output
- Security scan results with vulnerability details
- Compliance status reports by standard
- Prioritized list of security issues by severity
- Remediation recommendations with code examples
- Executive summary for stakeholders
## Error Handling
If security scanning fails:
- Verify tool installation and configuration
- Check file and directory permissions
- Validate scan target paths
- Review tool-specific error messages
- Ensure network access for dependency checks
## Resources
- Security standard documentation (OWASP, CWE, CVE)
- Compliance framework guidelines (GDPR, HIPAA, PCI-DSS)
- Security scanning tool documentation
- Vulnerability remediation best practicesRelated Skills
scanning-accessibility
Validate WCAG compliance and accessibility standards (ARIA, keyboard navigation). Use when auditing WCAG compliance or screen reader compatibility. Trigger with phrases like "scan accessibility", "check WCAG compliance", or "validate screen readers".
scanning-for-xss-vulnerabilities
Execute this skill enables AI assistant to automatically scan for xss (cross-site scripting) vulnerabilities in code. it is triggered when the user requests to "scan for xss vulnerabilities", "check for xss", or uses the command "/xss". the skill identifies ref... Use when appropriate context detected. Trigger with relevant phrases based on skill purpose.
scanning-for-vulnerabilities
Execute this skill enables comprehensive vulnerability scanning using the vulnerability-scanner plugin. it identifies security vulnerabilities in code, dependencies, and configurations, including cve detection. use this skill when the user asks to scan fo... Use when appropriate context detected. Trigger with relevant phrases based on skill purpose.
scanning-input-validation-practices
Scan for input validation vulnerabilities and injection risks. Use when reviewing user input handling. Trigger with 'scan input validation', 'check injection vulnerabilities', or 'validate sanitization'.
scanning-for-gdpr-compliance
Scan for GDPR compliance issues in data handling and privacy practices. Use when ensuring EU data protection compliance. Trigger with 'scan GDPR compliance', 'check data privacy', or 'validate GDPR'.
scanning-for-data-privacy-issues
Scan for data privacy issues and sensitive information exposure. Use when reviewing data handling practices. Trigger with 'scan privacy issues', 'check sensitive data', or 'validate data protection'.
repo-scanning
Internal process for the repo-scanner agent. Defines the step-by-step procedure for scanning GitHub repos for evidence that supports or explains bug clusters. Not user-invocable — loaded by the agent via its `skills: ["repo-scanning"]` frontmatter property.
integrating-secrets-managers
Manage this skill enables AI assistant to seamlessly integrate with various secrets managers like hashicorp vault and aws secrets manager. it generates configurations and setup code, ensuring best practices for secure credential management. use this skill when... Use when appropriate context detected. Trigger with relevant phrases based on skill purpose.
scanning-container-security
Execute use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
scanning-database-security
Process use when you need to work with security and compliance. This skill provides security scanning and vulnerability detection with comprehensive guidance and automation. Trigger with phrases like "scan for vulnerabilities", "implement security controls", or "audit security".
scanning-market-movers
Detect significant price movements and unusual volume across crypto markets. Calculates significance scores combining price change, volume ratio, and market cap. Use when tracking market movers, finding gainers/losers, or detecting volume spikes. Trigger with phrases like "scan market movers", "top gainers", "biggest losers", "volume spikes", "what's moving", "find pumps", or "market scan".
scanning-api-security
Detect API security vulnerabilities including injection, broken auth, and data exposure. Use when scanning APIs for security vulnerabilities. Trigger with phrases like "scan API security", "check for vulnerabilities", or "audit API security".