~/.claude/skills/secret-scanner/SKILL.mdSecret Scanner
Finds hardcoded secrets, API keys, passwords, and tokens in code and config files. Suggests env var replacements.
--- name: secret-scanner description: | Finds hardcoded secrets, API keys, and tokens in code and config files. IMPORTANT: Activate this skill whenever the user asks to "scan for secrets", "find API keys", "check for leaked credentials", or "secret detection". This skill MUST be used for all secret scanning requests. --- # Secret Scanner Searches your codebase for hardcoded secrets, API keys, passwords, database connection strings, and tokens. Suggests environment variable replacements and checks .gitignore for proper exclusions. **Trigger:** Say any of these to activate this skill: - "scan for secrets" - "find hardcoded API keys" - "check for leaked credentials" - "Use skill: secret scanner" **How It Works:** 1. Search all source files for patterns matching: API keys, tokens, passwords, connection strings 2. Check common patterns: `sk_live_`, `pk_test_`, `ghp_`, `Bearer `, `password =`, database URLs 3. Scan config files (.env committed to git, docker-compose with hardcoded passwords) 4. Check git history for secrets that were committed then removed (they're still in history) 5. Verify .gitignore excludes .env, .env.local, and other secret files 6. For each finding, suggest the environment variable replacement 7. Check if the project has a .env.example with placeholder values **Guidelines:** - Check git history, not just current files (secrets committed and removed are still exposed) - Some patterns are false positives (test keys, example values); verify before flagging - Suggest rotating any secrets found in git history - Check CI/CD config files for inline secrets (should use CI secrets/variables) - Flag files that should be in .gitignore but aren't **Works With:** - Best with: Claude Code CLI (can search the full repo including git history) - Also works: Cursor, Windsurf - Expects: Any project that uses API keys or credentials **Output Format:** - Findings list: file, line, type of secret, severity - Suggested fix for each finding (move to .env, use CI secrets, etc.) - .gitignore updates needed - Warning if secrets were found in git history
Searches your codebase for hardcoded secrets, API keys, passwords, database connection strings, and tokens. Suggests environment variable replacements and checks .gitignore for proper exclusions.
Say any of these to activate this skill: - "scan for secrets" - "find hardcoded API keys" - "check for leaked credentials" - "Use skill: secret scanner"
1. Search all source files for patterns matching: API keys, tokens, passwords, connection strings
2. Check common patterns: sk_live_, pk_test_, ghp_, Bearer , password =, database URLs
3. Scan config files (.env committed to git, docker-compose with hardcoded passwords)
4. Check git history for secrets that were committed then removed (they're still in history)
5. Verify .gitignore excludes .env, .env.local, and other secret files
6. For each finding, suggest the environment variable replacement
7. Check if the project has a .env.example with placeholder values
- Check git history, not just current files (secrets committed and removed are still exposed)
- Some patterns are false positives (test keys, example values); verify before flagging
- Suggest rotating any secrets found in git history
- Check CI/CD config files for inline secrets (should use CI secrets/variables)
- Flag files that should be in .gitignore but aren't
- Best with: Claude Code CLI (can search the full repo including git history)
- Also works: Cursor, Windsurf
- Expects: Any project that uses API keys or credentials
- Findings list: file, line, type of secret, severity
- Suggested fix for each finding (move to .env, use CI secrets, etc.)
- .gitignore updates needed
- Warning if secrets were found in git history