Secret Scanner Skill
Detect accidentally committed secrets, credentials, and sensitive information in code.
Instructions
You are a secret detection expert. When invoked:
-
Scan for Secrets:
- API keys and tokens
- Passwords and credentials
- Private keys and certificates
- Database connection strings
- OAuth tokens and secrets
- Cloud provider credentials (AWS, GCP, Azure)
- Encryption keys
-
Pattern Detection:
- Regex-based secret detection
- Entropy analysis for high-randomness strings
- Known secret patterns (AWS keys, GitHub tokens, etc.)
- Custom secret patterns
- File type analysis (.env, config files)
- Comment analysis (TODO: remove this key)
-
Contextual Analysis:
- Distinguish real secrets from examples/test data
- Check if secrets are in version control history
- Identify false positives
- Determine secret exposure scope
- Check if secrets are still active
-
Risk Assessment:
- Classify severity (Critical, High, Medium, Low)
- Determine potential impact
- Check if secret has been exposed publicly
- Assess exploitability
- Identify affected systems
-
Generate Report: Create comprehensive secret exposure report with remediation steps
Secret Types and Patterns
Cloud Provider Credentials
AWS
# AWS Access Key ID
AKIA[0-9A-Z]{16}
# AWS Secret Access Key
[0-9a-zA-Z/+=]{40}
# AWS Session Token
[A-Za-z0-9/+=]{200,}
Google Cloud
# GCP API Key
AIza[0-9A-Za-z-_]{35}
# GCP Service Account
"type": "service_account"
Azure
# Azure Storage Key
[a-zA-Z0-9+/]{88}==
# Azure Client Secret
[0-9a-zA-Z-_~]{34,}
Version Control Tokens
GitHub
# GitHub Personal Access Token
ghp_[0-9a-zA-Z]{36}
# GitHub OAuth Token
gho_[0-9a-zA-Z]{36}
# GitHub App Token
(ghu|ghs)_[0-9a-zA-Z]{36}
GitLab
glpat-[0-9a-zA-Z-_]{20}
Database Credentials
# MongoDB Connection String
mongodb(\+srv)?://[^\s]+
# PostgreSQL Connection String
postgres(ql)?://[^\s]+
# MySQL Connection String
mysql://[^\s]+
# Generic DB Password
(password|pwd|pass)\s*[:=]\s*['"][^'"]+['"]
API Keys and Tokens
# Generic API Key
api[_-]?key\s*[:=]\s*['"][^'"]+['"]
# Stripe
sk_live_[0-9a-zA-Z]{24,}
# Slack
xox[baprs]-[0-9a-zA-Z-]{10,}
# Twilio
SK[0-9a-fA-F]{32}
# SendGrid
SG\.[0-9A-Za-z\-_]{22}\.[0-9A-Za-z\-_]{43}
Private Keys
-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----
JWT Tokens
eyJ[A-Za-z0-9-_=]+\.eyJ[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*
Usage Examples
@secret-scanner
@secret-scanner --severity high
@secret-scanner --git-history
@secret-scanner src/
@secret-scanner --include-env-files
@secret-scanner --entropy-check
@secret-scanner --report
Scanning Commands
Using git-secrets
# Install git-secrets
brew install git-secrets # macOS
# or
git clone https://github.com/awslabs/git-secrets.git
# Initialize
git secrets --install
git secrets --register-aws
# Scan repository
git secrets --scan
git secrets --scan-history
# Add custom patterns
git secrets --add 'api[_-]?key\s*[:=]\s*['"'"'][^'"'"']+['"'"']'
git secrets --add 'password\s*[:=]\s*['"'"'][^'"'"']+['"'"']'
Using truffleHog
# Install
pip install truffleHog
# Scan repository
trufflehog git file://. --json
# Scan remote repository
trufflehog git https://github.com/user/repo.git
# Scan with high entropy only
trufflehog git file://. --entropy-only
# Scan specific branch
trufflehog git file://. --branch main
Using gitleaks
# Install
brew install gitleaks # macOS
# Scan repository
gitleaks detect --source . --verbose
# Scan with report
gitleaks detect --source . --report-format json --report-path report.json
# Scan uncommitted files
gitleaks protect --staged
# Scan git history
gitleaks detect --source . --log-opts "--all"
Using detect-secrets
# Install
pip install detect-secrets
# Create baseline
detect-secrets scan > .secrets.baseline
# Audit baseline
detect-secrets audit .secrets.baseline
# Scan for new secrets
detect-secrets scan --baseline .secrets.baseline
Using custom grep patterns
# Scan for AWS keys
grep -r "AKIA[0-9A-Z]\{16\}" .
# Scan for private keys
grep -r "BEGIN.*PRIVATE KEY" .
# Scan for passwords
grep -ri "password\s*=\s*['\"]" . --include="*.js" --include="*.py"
# High entropy strings
grep -r "[a-zA-Z0-9]\{32,\}" .
Secret Scanner Report Format
# Secret Scanner Report
**Repository**: my-application
**Scan Date**: 2024-01-15 14:30:00 UTC
**Branch**: main
**Commits Scanned**: 1,234
**Files Scanned**: 456
---
## Executive Summary
🔴 **CRITICAL SECURITY ISSUE DETECTED**
**Total Secrets Found**: 12
- Critical: 4
- High: 3
- Medium: 3
- Low: 2
**Immediate Actions Required**: 4 secrets need rotation NOW
---
## Critical Secrets (4)
### 🔴 AWS Access Key Exposed
**Severity**: Critical
**File**: src/config/aws.js
**Line**: 12
**Commit**: a3f5c2b (2024-01-10)
**Age**: 5 days
**Secret Found**:
```javascript
const AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE';
const AWS_SECRET_ACCESS_KEY = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY';
Pattern Match: AWS Access Key ID pattern Entropy Score: 4.2 (High)
Risk Assessment:
- Impact: CRITICAL - Full AWS account access
- Scope: All AWS resources in the account
- Exploitability: HIGH - Key is in public repository
- Data at Risk: Production databases, S3 buckets, EC2 instances
Exposure:
- ✅ Committed to repository: Yes
- ✅ Pushed to remote: Yes
- ✅ In public repository: Yes
- ⚠️ Visible in GitHub: Since 2024-01-10
- ⚠️ Present in 5 commits
Immediate Actions:
- ✅ ROTATE CREDENTIALS IMMEDIATELY
- ✅ Revoke exposed keys in AWS Console
- ✅ Check AWS CloudTrail for unauthorized access
- ✅ Review all AWS resources for tampering
- ✅ Enable AWS GuardDuty alerts
- ✅ Implement MFA on root account
Remediation:
# 1. Revoke key immediately via AWS Console or CLI
aws iam delete-access-key --access-key-id AKIAIOSFODNN7EXAMPLE
# 2. Create new key
aws iam create-access-key --user-name production-user
# 3. Update environment variables (DO NOT COMMIT)
export AWS_ACCESS_KEY_ID="new-key-id"
export AWS_SECRET_ACCESS_KEY="new-secret-key"
# 4. Remove from git history
git filter-branch --force --index-filter \
"git rm --cached --ignore-unmatch src/config/aws.js" \
--prune-empty --tag-name-filter cat -- --all
# Or use BFG Repo Cleaner
bfg --replace-text passwords.txt
Prevention:
// NEVER do this:
const AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE';
// ALWAYS do this:
const AWS_ACCESS_KEY_ID = process.env.AWS_ACCESS_KEY_ID;
// Add to .gitignore:
.env
.env.local
.env.production
credentials.json
aws-config.json
Git History Cleanup Required: YES Priority: P0 - Fix immediately
🔴 Database Password in Connection String
Severity: Critical File: config/database.yml Line: 8 Commit: f9e2a1d (2024-01-05)
Secret Found:
production:
url: postgresql://admin:SuperSecret123!@prod-db.example.com:5432/appdb
Pattern Match: PostgreSQL connection string with password Entropy Score: 3.8 (High)
Risk Assessment:
- Impact: CRITICAL - Production database access
- Scope: All production data
- Exploitability: HIGH
- Data at Risk: User data, financial records, PII
Immediate Actions:
- ✅ Change database password immediately
- ✅ Review database access logs for unauthorized queries
- ✅ Check for data exfiltration
- ✅ Update application configuration
- ✅ Implement database firewall rules
Remediation:
# Use environment variables
production:
url: <%= ENV['DATABASE_URL'] %>
# Or use secrets manager
production:
url: <%= SecretsManager.get('database_url') %>
Priority: P0 - Fix immediately
🔴 Private SSH Key Committed
**Severi