Stats
Actions
Available In
Tags
Plugin
secrets-scanner
Scan commands and prompts for security risks, detecting credential patterns across cloud, source control, payment, and collaboration providers, with deduplication and truncation of results.
What's Inside
README
Security plugins for Claude Code and Cursor
This repository currently provides a secrets scanner plugin.
Motivation
Coding agents are powerful, but we've repeatedly seen them read and propagate sensitive data during everyday work. That can be acceptable for casual "vibe coding" experiments, but it's not acceptable for production software engineering. We built this to make accidental leakage much harder: a standalone, local-first scanner with minimal footprint (no external dependencies, regex-only), running as editor/agent hooks entirely on your machine, and easy to set up so teams can adopt it without friction.
Install
Claude Code Plugin Marketplace
Install via the Claude Code plugin marketplace:
/plugin marketplace add mintmcp/agent-security
/plugin install secrets-scanner@agent-security
PyPI (manual hooks)
pipx install claude-secret-scan
# or
python3 -m pip install --user claude-secret-scan
Add hooks to ~/.claude/settings.json if using PyPI:
{
"hooks": {
"UserPromptSubmit": [
{"hooks": [{"type": "command", "command": "claude-secret-scan --mode=pre"}]}
],
"PreToolUse": [
{"matcher": "Read|read", "hooks": [{"type": "command", "command": "claude-secret-scan --mode=pre"}]}
],
"PostToolUse": [
{"matcher": "Read|read", "hooks": [{"type": "command", "command": "claude-secret-scan --mode=post"}]},
{"matcher": "Bash|bash", "hooks": [{"type": "command", "command": "claude-secret-scan --mode=post"}]}
]
}
}
Cursor
Copy examples/configs/cursor-hooks.json to ~/.cursor/hooks.json or configure similarly:
{
"version": 1,
"hooks": {
"beforeReadFile": [{"command": "cursor-secret-scan --mode=pre"}],
"beforeSubmitPrompt": [{"command": "cursor-secret-scan --mode=pre"}]
}
}
Repository Layout
.
├── .claude-plugin/
│ └── marketplace.json
├── plugins/
│ └── secrets_scanner/
│ ├── .claude-plugin/
│ │ └── plugin.json
│ ├── hooks/
│ │ ├── hooks.json
│ │ └── secrets_scanner_hook.py
│ ├── tests/
│ │ └── read_hook_test.py
│ ├── TESTING.md
│ └── README.md
├── examples/
│ └── configs/
├── pyproject.toml
└── README.md
Notes
- Pre hooks block when secrets are detected. Post hooks print warnings.
- No external dependencies. The scanner uses only Python's built-in regexes and simple pattern matching.
- Runs completely locally. No code, prompts, or files leave your system.
- Curious how it works? See
plugins/secrets_scanner/hooks/secrets_scanner_hook.pyfor the core implementation and patterns. - No telemetry by default. For org-wide visibility and governance (dashboards, metrics, alerting), see https://mintmcp.com.
License
Apache License 2.0. See LICENSE.
Acknowledgements
Regex patterns were informed by or adapted from detect-secrets (Apache 2.0).
Stats
Version0.1.14
LanguagePython
Stars69
Forks3
MaintenanceGood
LicenseApache-2.0
Last Commit
Added
Available In
Safety Signals
Caution
Executes bash commands
Hook triggers when Bash tool is used
Tags
Topics
Categories
