ln-761-secret-scanner
by levnikolaevich
Greate Claude Code skills collection. Production-ready skills that cover the full delivery workflow — from research and discovery to epic planning, task breakdown, implementation, testing, code review, and quality gates.
Run in ManusSKILL.md
name: ln-761-secret-scanner description: Scans codebase for hardcoded secrets. Returns normalized findings with severity and remediation guidance. Pre-commit hook integration.
Secret Scanner
Scans codebase for hardcoded secrets and credentials, returning structured findings for remediation.
Purpose & Scope
- Detect hardcoded secrets using available tools (gitleaks, trufflehog) or manual patterns
- Classify findings by severity (Critical/High/Medium/Low)
- Filter false positives via baseline and allowlists
- Provide remediation guidance per finding type
- Return normalized report to parent orchestrator (ln-760)
When to Use
- During project bootstrap (via ln-760-security-setup)
- Pre-commit hook validation
- CI/CD security pipeline
- Manual security audit
Workflow
Phase 1: Tool Detection
Step 1: Check Available Scanners
- Check if gitleaks is installed (preferred)
- Check if trufflehog is installed (alternative)
- If neither available: use manual pattern matching as fallback
Step 2: Load Configuration
- Load project
.gitleaks.tomlif exists (custom rules) - Load
.gitleaksbaselineif exists (known false positives) - If no config: use default patterns from
references/detection_patterns.md
Phase 2: Scan Execution
Step 1: Run Available Scanner
- Execute scanner against project root
- Capture output in structured format (JSON/SARIF preferred)
- If tool unavailable: run manual grep patterns for high-confidence secrets
Step 2: Parse Results
- Normalize output to common format: file, line, pattern, raw_match
- Preserve original severity if provided by tool
Phase 3: Report Generation
Step 1: Severity Classification
- Map findings to severity levels per
references/detection_patterns.md - Critical: AWS keys, private keys, JWT secrets
- High: Generic passwords, connection strings
- Medium: API keys (may be test data)
- Low: Potential secrets requiring manual review
Step 2: False Positive Filtering
- Apply baseline exclusions
- Apply allowlist patterns (placeholders, test data, docs)
- Mark filtered items as "excluded" with reason
Step 3: Build Report
- Group findings by severity
- Include file path, line number, pattern matched
- Do NOT include actual secret values in report
Phase 4: Remediation Guidance
Step 1: Attach Remediation Actions
- For each finding, attach remediation steps from
references/remediation_guide.md - For Critical findings: emphasize immediate rotation requirement
Step 2: Return Results
- Return structured findings list to orchestrator
- Include summary: total scanned, total found, by severity
Critical Rules
- Never log actual secret values - redact in all outputs
- Treat any found secret as compromised - rotation required for Critical
- Preserve baseline - do not remove existing baseline entries
- Pre-commit priority - recommend pre-commit hook if not configured
- Git history awareness - warn if secret may exist in history (requires git-filter-repo)
Definition of Done
- Scan completed using available tool or manual patterns
- Findings classified by severity
- False positives filtered via baseline/allowlist
- Remediation guidance attached to each finding
- Report returned in normalized format (no raw secret values)
- Critical findings flagged with rotation requirement
Reference Files
| File | Purpose |
|---|---|
references/detection_patterns.md | Secret patterns by confidence level |
references/gitleaks_config_template.toml | Template for project gitleaks config |
references/remediation_guide.md | Rotation procedures by secret type |
Version: 2.0.0 Last Updated: 2026-01-10
Score
Total Score
Based on repository quality metrics
SKILL.mdファイルが含まれている
ライセンスが設定されている
100文字以上の説明がある
GitHub Stars 100以上
1ヶ月以内に更新
10回以上フォークされている
オープンIssueが50未満
プログラミング言語が設定されている
1つ以上のタグが設定されている
Reviews
Reviews coming soon
