Secret Scanner

Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.

When to Use This Skill

Use this skill when the user:

• - Asks to "check for leaked secrets" or "scan for API keys"
• Wants to audit a repo or folder before committing or publishing
• Says "are there any hardcoded passwords in this code?"
• Asks to "find credentials" or "check for exposed tokens"
• Wants pre-commit or pre-publish security checks
• Mentions concern about accidentally checking in secrets

Capabilities

• - Detect 40+ secret patterns including:

- AWS Access Keys, Secret Keys, Session Tokens - Azure Storage Keys, Connection Strings, SAS Tokens - GCP Service Account Keys, API Keys - GitHub / GitLab / Bitbucket Personal Access Tokens - OpenAI, Anthropic, Hugging Face API Keys - Slack Bot Tokens, Webhooks - Stripe, Twilio, SendGrid Keys - Database connection strings (MongoDB, PostgreSQL, MySQL, Redis) - SSH Private Keys, PEM/PFX Certificates - JWT Tokens, Bearer Tokens - Generic passwords in config files (password=, secret=, token=)

• - Scan individual files, directories, or entire repos recursively
• Ignore binary files, node_modules, .git, and other non-relevant paths
• Output results as Markdown report or JSON
• Provide severity ratings (Critical, High, Medium, Low)
• Suggest remediation for each finding

How to Scan

Scan a directory

CODEBLOCK0

Scan with JSON output

CODEBLOCK1

Scan and save report

CODEBLOCK2

Within an Agent

CODEBLOCK3

Secret Patterns Detected

Cloud Provider Keys

Provider	Secrets Detected
AWS	Access Key ID (AKIA...), Secret Access Key, Session Token
Azure

Storage Account Key, Connection String, SAS Token, Client Secret |

| GCP | API Key (AIza...), Service Account JSON, OAuth Client Secret |

AI / LLM Keys

Service	Pattern
OpenAI	INLINECODE2 prefixed API keys
Anthropic

sk-ant- prefixed keys |

| Hugging Face | hf_ prefixed tokens | | Cohere | API keys in config |

Developer Platforms

Platform	Secrets Detected
GitHub	INLINECODE5, gho_, ghu_, ghs_, ghr_ tokens
GitLab

glpat- tokens |

| Slack | xoxb-, xoxp-, xoxs- tokens, webhook URLs | | Stripe | sk_live_, sk_test_, rk_live_ keys | | Twilio | Account SID, Auth Token | | SendGrid | SG. prefixed API keys |

Databases & Infrastructure

Type	Pattern
MongoDB	INLINECODE18 or mongodb+srv:// with credentials
PostgreSQL

postgresql:// with embedded password |

| MySQL | mysql:// with embedded password | | Redis | redis:// with password | | SSH | -----BEGIN (RSA\|EC\|OPENSSH) PRIVATE KEY----- | | Certificates | PEM, PFX, P12 with embedded keys |

Generic Patterns

Pattern	Description
password=	Hardcoded passwords in config/env files
secret=

Hardcoded secrets |

| token= | Hardcoded tokens | | Bearer | Bearer tokens in code | | Basic Auth | Base64-encoded basic auth headers | | JWT | eyJ prefixed JWT tokens | | High Entropy | Long random strings that look like secrets |

Severity Levels

Severity	Description	Examples
🔴 Critical	Active production credentials	AWS Secret Key, Private Keys, DB passwords
🟠 High

Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key | | 🟡 Medium | Keys that may be test/dev | Test API keys, example tokens | | 🟢 Low | Potential false positives | Generic password= in comments, placeholder values |

Files Scanned

Scans these file types by default:

• - Source code: .py, .js, .ts, .java, .go, .rb, .php, .cs, INLINECODE33
• Config: .json, .yaml, .yml, .toml, .ini, .cfg, INLINECODE40
• Environment: .env, .env.local, INLINECODE43
• Shell: .sh, .bash, .zsh, INLINECODE47
• Docs: .md, INLINECODE49
• Other: Dockerfile, docker-compose.yml, INLINECODE52

Ignored Paths

Automatically skips:

• - node_modules/, vendor/, venv/, INLINECODE56
• INLINECODE57, INLINECODE58
• INLINECODE59, INLINECODE60
• Binary files, images, compiled outputs
• INLINECODE61, INLINECODE62

Remediation Guidance

When secrets are found, the skill recommends:

1. 1. Rotate the secret immediately — assume it's compromised
2. Remove from code — use environment variables or a secrets manager instead
3. Add to .gitignore — prevent .env and credential files from being committed
4. Use git-filter-repo — to remove secrets from git history
5. Enable pre-commit hooks — to catch secrets before they're committed

Requirements

• - Python 3.7+
• No additional dependencies (uses Python standard library)

Entry Point

• - CLI: INLINECODE64

Tags

#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops