Secret Scanner
Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.
When to Use This Skill
Use this skill when the user:
- - Asks to "check for leaked secrets" or "scan for API keys"
- Wants to audit a repo or folder before committing or publishing
- Says "are there any hardcoded passwords in this code?"
- Asks to "find credentials" or "check for exposed tokens"
- Wants pre-commit or pre-publish security checks
- Mentions concern about accidentally checking in secrets
Capabilities
- - Detect 40+ secret patterns including:
- AWS Access Keys, Secret Keys, Session Tokens
- Azure Storage Keys, Connection Strings, SAS Tokens
- GCP Service Account Keys, API Keys
- GitHub / GitLab / Bitbucket Personal Access Tokens
- OpenAI, Anthropic, Hugging Face API Keys
- Slack Bot Tokens, Webhooks
- Stripe, Twilio, SendGrid Keys
- Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)
- SSH Private Keys, PEM/PFX Certificates
- JWT Tokens, Bearer Tokens
- Generic passwords in config files (password=, secret=, token=)
- - Scan individual files, directories, or entire repos recursively
- Ignore binary files, node_modules, .git, and other non-relevant paths
- Output results as Markdown report or JSON
- Provide severity ratings (Critical, High, Medium, Low)
- Suggest remediation for each finding
How to Scan
Scan a directory
�CODEBLOCK0
Scan with JSON output
�CODEBLOCK1
Scan and save report
�CODEBLOCK2
Within an Agent
�CODEBLOCK3
Secret Patterns Detected
Cloud Provider Keys
| Provider | Secrets Detected |
|---|
| AWS | Access Key ID (AKIA...), Secret Access Key, Session Token |
| Azure |
Storage Account Key, Connection String, SAS Token, Client Secret |
|
GCP | API Key (
AIza...), Service Account JSON, OAuth Client Secret |
AI / LLM Keys
| Service | Pattern |
|---|
| OpenAI | INLINECODE2� prefixed API keys |
| Anthropic |
sk-ant- prefixed keys |
|
Hugging Face |
hf_ prefixed tokens |
|
Cohere | API keys in config |
Developer Platforms
| Platform | Secrets Detected |
|---|
| GitHub | INLINECODE5�, gho_, ghu_, ghs_, ghr_ tokens |
| GitLab |
glpat- tokens |
|
Slack |
xoxb-,
xoxp-,
xoxs- tokens, webhook URLs |
|
Stripe |
sk_live_,
sk_test_,
rk_live_ keys |
|
Twilio | Account SID, Auth Token |
|
SendGrid |
SG. prefixed API keys |
Databases & Infrastructure
| Type | Pattern |
|---|
| MongoDB | INLINECODE18� or mongodb+srv:// with credentials |
| PostgreSQL |
postgresql:// with embedded password |
|
MySQL |
mysql:// with embedded password |
|
Redis |
redis:// with password |
|
SSH |
-----BEGIN (RSA\|EC\|OPENSSH) PRIVATE KEY----- |
|
Certificates | PEM, PFX, P12 with embedded keys |
Generic Patterns
| Pattern | Description |
|---|
| password= | Hardcoded passwords in config/env files |
| secret= |
Hardcoded secrets |
|
token= | Hardcoded tokens |
|
Bearer | Bearer tokens in code |
|
Basic Auth | Base64-encoded basic auth headers |
|
JWT |
eyJ prefixed JWT tokens |
|
High Entropy | Long random strings that look like secrets |
Severity Levels
| Severity | Description | Examples |
|---|
| 🔴 Critical | Active production credentials | AWS Secret Key, Private Keys, DB passwords |
| 🟠 High |
Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key |
| 🟡
Medium | Keys that may be test/dev | Test API keys, example tokens |
| 🟢
Low | Potential false positives | Generic password= in comments, placeholder values |
Files Scanned
Scans these file types by default:
- - Source code:
.py, .js, .ts, .java, .go, .rb, .php, .cs, �INLINECODE33 - Config:
.json, .yaml, .yml, .toml, .ini, .cfg, �INLINECODE40 - Environment:
.env, .env.local, �INLINECODE43 - Shell:
.sh, .bash, .zsh, �INLINECODE47 - Docs:
.md, �INLINECODE49 - Other:
Dockerfile, docker-compose.yml, �INLINECODE52
Ignored Paths
Automatically skips:
- -
node_modules/, vendor/, venv/, �INLINECODE56 - INLINECODE57�, �INLINECODE58
- INLINECODE59�, �INLINECODE60
- Binary files, images, compiled outputs
- INLINECODE61�, �INLINECODE62
Remediation Guidance
When secrets are found, the skill recommends:
- 1. Rotate the secret immediately — assume it's compromised
- Remove from code — use environment variables or a secrets manager instead
- Add to .gitignore — prevent
.env and credential files from being committed - Use git-filter-repo — to remove secrets from git history
- Enable pre-commit hooks — to catch secrets before they're committed
Requirements
- - Python 3.7+
- No additional dependencies (uses Python standard library)
Entry Point
Tags
#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops
密钥扫描器
用于扫描代码、配置文件和仓库中意外泄露的密钥和凭据的安全技能。
何时使用此技能
当用户出现以下情况时使用此技能:
- - 要求检查泄露的密钥或扫描API密钥
- 希望在提交或发布前审计仓库或文件夹
- 询问这段代码中有硬编码的密码吗?
- 要求查找凭据或检查暴露的令牌
- 需要提交前或发布前的安全检查
- 提到担心意外提交密钥
功能特性
- AWS访问密钥、秘密密钥、会话令牌
- Azure存储密钥、连接字符串、SAS令牌
- GCP服务账号密钥、API密钥
- GitHub / GitLab / Bitbucket个人访问令牌
- OpenAI、Anthropic、Hugging Face API密钥
- Slack机器人令牌、Webhooks
- Stripe、Twilio、SendGrid密钥
- 数据库连接字符串(MongoDB、PostgreSQL、MySQL、Redis)
- SSH私钥、PEM/PFX证书
- JWT令牌、Bearer令牌
- 配置文件中的通用密码(password=、secret=、token=)
- - 递归扫描单个文件、目录或整个仓库
- 忽略二进制文件、node_modules、.git及其他无关路径
- 以Markdown报告或JSON格式输出结果
- 提供严重等级(严重、高、中、低)
- 为每个发现提供修复建议
扫描方法
扫描目录
bash
python secret_scanner.py /path/to/project
扫描并输出JSON
bash
python secret_scanner.py /path/to/project --json
扫描并保存报告
bash
python secret_scanner.py /path/to/project --output report.md
在Agent中使用
扫描此项目是否存在泄露的密钥
检查代码库中是否有API密钥
在当前目录运行密钥扫描器
在我的配置文件中查找硬编码的密码
在推送到GitHub前审计此仓库
检测的密钥模式
云服务提供商密钥
| 提供商 | 检测的密钥 |
|---|
| AWS | 访问密钥ID(AKIA...)、秘密访问密钥、会话令牌 |
| Azure |
存储账户密钥、连接字符串、SAS令牌、客户端密钥 |
|
GCP | API密钥(AIza...)、服务账号JSON、OAuth客户端密钥 |
AI / LLM密钥
| 服务 | 模式 |
|---|
| OpenAI | sk-前缀的API密钥 |
| Anthropic |
sk-ant-前缀的密钥 |
|
Hugging Face | hf_前缀的令牌 |
|
Cohere | 配置文件中的API密钥 |
开发者平台
| 平台 | 检测的密钥 |
|---|
| GitHub | ghp、gho、ghu、ghs、ghr_令牌 |
| GitLab |
glpat-令牌 |
|
Slack | xoxb-、xoxp-、xoxs-令牌、webhook URL |
|
Stripe | sk
live、sk
test、rk
live密钥 |
|
Twilio | 账户SID、认证令牌 |
|
SendGrid | SG.前缀的API密钥 |
数据库与基础设施
| 类型 | 模式 |
|---|
| MongoDB | 带凭据的mongodb://或mongodb+srv:// |
| PostgreSQL |
嵌入密码的postgresql:// |
|
MySQL | 嵌入密码的mysql:// |
|
Redis | 带密码的redis:// |
|
SSH | -----BEGIN (RSA\|EC\|OPENSSH) PRIVATE KEY----- |
|
证书 | 嵌入密钥的PEM、PFX、P12 |
通用模式
| 模式 | 描述 |
|---|
| password= | 配置文件/环境文件中的硬编码密码 |
| secret= |
硬编码的密钥 |
|
token= | 硬编码的令牌 |
|
Bearer | 代码中的Bearer令牌 |
|
Basic Auth | Base64编码的基本认证头 |
|
JWT | eyJ前缀的JWT令牌 |
|
高熵值 | 看起来像密钥的长随机字符串 |
严重等级
| 严重等级 | 描述 | 示例 |
|---|
| 🔴 严重 | 活跃的生产凭据 | AWS秘密密钥、私钥、数据库密码 |
| 🟠 高 |
具有广泛访问权限的服务令牌 | GitHub PAT、Slack机器人令牌、Stripe Live密钥 |
| 🟡
中 | 可能是测试/开发的密钥 | 测试API密钥、示例令牌 |
| 🟢
低 | 潜在的误报 | 注释中的通用password=、占位值 |
扫描的文件
默认扫描以下文件类型:
- - 源代码:.py、.js、.ts、.java、.go、.rb、.php、.cs、.rs
- 配置:.json、.yaml、.yml、.toml、.ini、.cfg、.conf
- 环境:.env、.env.local、.env.production
- Shell:.sh、.bash、.zsh、.ps1
- 文档:.md、.txt
- 其他:Dockerfile、docker-compose.yml、Makefile
忽略的路径
自动跳过:
- - nodemodules/、vendor/、venv/、.venv/
- .git/、.svn/
- pycache/、.pytestcache/
- 二进制文件、图片、编译输出
- package-lock.json、yarn.lock
修复指导
当发现密钥时,技能建议:
- 1. 立即轮换密钥 — 假设已泄露
- 从代码中移除 — 改用环境变量或密钥管理器
- 添加到.gitignore — 防止提交.env和凭据文件
- 使用git-filter-repo — 从git历史中移除密钥
- 启用pre-commit钩子 — 在提交前捕获密钥
要求
- - Python 3.7+
- 无需额外依赖(使用Python标准库)
入口点
标签
#安全 #密钥 #凭据 #API密钥 #令牌 #密码 #扫描器 #审计 #提交前检查 #泄露检测 #云服务 #AWS #Azure #GCP #DevOps
