--- description: "Scans your codebase for hardcoded credentials, API keys, and secrets before they reach production. Detects Anthropic, OpenAI, Stripe, AWS, GitHub tokens and generic password patterns with file:line citations." alwaysApply: true --- # Secrets Leak Scanner Scan a codebase or set of files for hardcoded credentials, API keys, and secrets that should never be committed to version control. ## What This Skill Does Searches across all tracked files for patterns that match known credential formats: - **API keys**: Anthropic (`sk-ant-`), OpenAI (`sk-`), Stripe (`sk_live_`/`sk_test_`) - **Cloud keys**: AWS access keys (`AKIA`), GitHub tokens (`ghp_`, `gho_`, `ghs_`) - **Auth tokens**: Bearer tokens, JWTs, PEM private key blocks - **Connection strings**: Database URLs with embedded passwords - **Environment assignments**: `SECRET=`, `API_KEY=`, `PASSWORD=`, `TOKEN=` with long values ## How to Use Invoke this skill with a target directory or list of files to scan: ``` Scan ./src for any hardcoded secrets or credentials. ``` Or with specific files: ``` Check these files for leaked keys: .env.backup, scripts/deploy.sh, config/legacy.js ``` ## Output Format Each finding is reported as: ``` [SEVERITY] path/to/file.ext:LINE_NUMBER — Description of what was found Pattern: () Action: ``` Severity levels: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW` ## After Scanning For each finding: 1. **Rotate the credential immediately** — treat it as compromised 2. **Remove from git history** using `git filter-repo` or BFG Repo Cleaner 3. **Add to `.gitignore`** if it was an accidentally committed file 4. **Use a secrets manager** (AWS Secrets Manager, Vault, 1Password) for the replacement ## Rules - Never print the actual secret value in the report — only the pattern type and location - Always include the file path and line number for each finding - Group findings by severity (CRITICAL first) - Include a summary count at the end - Recommend immediate rotation for any CRITICAL or HIGH finding ## Attribution Part of the SkillSlap security toolkit. For questions or improvements, visit skillslap.com.