← Back to list
secrets-detector
by armanzeroeight
🚀 A collection of Claude subagents, skills, rules, guides, and blueprints for Developers, Engineers, and Creators. | Covering programming languages, DevOps, Cloud, and beyond.
⭐ 20🍴 4📅 Jan 18, 2026
Run in ManusSKILL.md
name: secrets-detector description: Detects hardcoded secrets, API keys, passwords, and credentials in source code. Use when checking for leaked secrets, credential exposure, or before committing code.
Secrets Detector
Quick Start
Scan for secrets using gitleaks:
# Install
brew install gitleaks # macOS
# or
pip install detect-secrets
# Scan current directory
gitleaks detect --source .
Instructions
Step 1: Choose Detection Tool
Gitleaks (recommended):
gitleaks detect --source . --verbose
detect-secrets:
detect-secrets scan . --all-files
Manual grep patterns:
grep -rn "AKIA[0-9A-Z]{16}" . # AWS Access Key
grep -rn "ghp_[a-zA-Z0-9]{36}" . # GitHub Token
Step 2: Scan for Common Patterns
| Secret Type | Pattern | Example |
|---|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} | AKIAIOSFODNN7EXAMPLE |
| AWS Secret Key | [A-Za-z0-9/+=]{40} | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
| GitHub Token | ghp_[a-zA-Z0-9]{36} | ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| GitHub OAuth | gho_[a-zA-Z0-9]{36} | gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| Slack Token | xox[baprs]-[0-9a-zA-Z-]+ | xoxb-123456789-abcdefghij |
| Private Key | -----BEGIN.*PRIVATE KEY----- | RSA/EC private keys |
| Generic API Key | api[_-]?key.*=.*['\"][a-zA-Z0-9]{20,} | api_key = "abc123..." |
| Generic Password | password.*=.*['\"][^'\"]+['\"] | password = "secret123" |
Step 3: Check Git History
Secrets may exist in git history even if removed:
# Scan entire git history
gitleaks detect --source . --log-opts="--all"
# Check specific commits
git log -p --all -S 'password' --source
Step 4: Categorize Findings
Critical - Immediate rotation required:
- Cloud provider credentials (AWS, GCP, Azure)
- Database connection strings
- Private keys
High - Rotate soon:
- API keys for external services
- OAuth tokens
- Webhook secrets
Medium - Review and rotate:
- Internal service tokens
- Test credentials that might be reused
Step 5: Report Findings
## Secrets Detection Report
### Critical (1)
1. **AWS Secret Key** - config/aws.js:12
- Type: AWS credentials
- Action: Rotate immediately in AWS console
### High (2)
1. **GitHub Token** - scripts/deploy.sh:45
- Type: Personal access token
- Action: Revoke and regenerate
2. **Slack Webhook** - src/notifications.js:23
- Type: Incoming webhook URL
- Action: Regenerate webhook
Prevention
Pre-commit Hook
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
.gitignore Patterns
# Environment files
.env
.env.local
.env.*.local
# Key files
*.pem
*.key
*_rsa
*_ecdsa
*_ed25519
# Config with secrets
config/secrets.yml
credentials.json
Environment Variables
Move secrets to environment variables:
// BAD
const apiKey = "sk-abc123...";
// GOOD
const apiKey = process.env.API_KEY;
Common False Positives
- Example/placeholder values in documentation
- Test fixtures with fake credentials
- Base64-encoded non-secret data
- Hash values (SHA, MD5)
Review each finding to confirm it's a real secret before taking action.
Score
Total Score
70/100
Based on repository quality metrics
✓SKILL.md
SKILL.mdファイルが含まれている
+20
✓LICENSE
ライセンスが設定されている
+10
✓説明文
100文字以上の説明がある
+10
○人気
GitHub Stars 100以上
0/15
✓最近の活動
1ヶ月以内に更新
+10
○フォーク
10回以上フォークされている
0/5
✓Issue管理
オープンIssueが50未満
+5
○言語
プログラミング言語が設定されている
0/5
✓タグ
1つ以上のタグが設定されている
+5
Reviews
💬
Reviews coming soon
