Stats
Actions
Tags
From security-guardian
Find and prevent leaked secrets, API keys, and credentials in code. Use this skill when reviewing code for exposed secrets, setting up pre-commit hooks, or auditing repositories. Activate when: leaked secret, API key exposed, credentials in code, hardcoded password, secret scanning, git secrets, pre-commit hook.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-guardian:secrets-detectionThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Find and prevent leaked API keys, passwords, and credentials in your codebase.**
Find and prevent leaked API keys, passwords, and credentials in your codebase.
| Secret Type | Pattern Example |
|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} |
| AWS Secret Key | 40-character base64 |
| GitHub Token | ghp_[a-zA-Z0-9]{36} |
| Stripe API Key | sk_live_[a-zA-Z0-9]{24} |
| Private Key | -----BEGIN RSA PRIVATE KEY----- |
| JWT Secret | High entropy string |
# Install
brew install gitleaks
# Scan current directory
gitleaks detect -v
# Scan git history
gitleaks detect --source . -v
# CI/CD integration
gitleaks detect --source . --exit-code 1
# .gitleaks.toml - Custom rules
[allowlist]
paths = [
'''vendor/''',
'''node_modules/''',
'''\.test\.'''
]
[[rules]]
description = "Custom API Key"
id = "custom-api-key"
regex = '''myapp_[a-zA-Z0-9]{32}'''
tags = ["key", "custom"]
# Install
brew install git-secrets
# Add AWS patterns
git secrets --register-aws
# Scan repository
git secrets --scan
# Install hooks
git secrets --install
# Scan repository
trufflehog git file://. --only-verified
# Scan GitHub org
trufflehog github --org=myorg --only-verified
# CI/CD
trufflehog git file://. --fail --only-verified
npm install -D husky lint-staged
npx husky init
// package.json
{
"lint-staged": {
"*.{js,ts,jsx,tsx}": [
"gitleaks detect --no-git -v"
]
}
}
# .husky/pre-commit
#!/bin/sh
npx lint-staged
gitleaks protect --staged -v
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
- repo: https://github.com/awslabs/git-secrets
rev: master
hooks:
- id: git-secrets
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: ['--baseline', '.secrets.baseline']
# Install
pip install pre-commit
pre-commit install
name: Secret Scanning
on: [push, pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
trufflehog:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: TruffleHog
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified
secret_detection:
stage: test
image: zricethezav/gitleaks:latest
script:
- gitleaks detect --source . --exit-code 1 -v
allow_failure: false
// Load from environment
const config = {
apiKey: process.env.API_KEY,
dbPassword: process.env.DB_PASSWORD,
jwtSecret: process.env.JWT_SECRET
};
// Validate required secrets
const requiredSecrets = ['API_KEY', 'DB_PASSWORD', 'JWT_SECRET'];
for (const secret of requiredSecrets) {
if (!process.env[secret]) {
throw new Error(`Missing required secret: ${secret}`);
}
}
# .env.example (commit this)
API_KEY=your_api_key_here
DB_PASSWORD=your_db_password_here
# .env (NEVER commit)
API_KEY=sk_live_actual_key_12345
DB_PASSWORD=actual_password
# .gitignore
.env
.env.local
.env.*.local
*.pem
*.key
// AWS Secrets Manager
const { SecretsManager } = require('@aws-sdk/client-secrets-manager');
async function getSecret(secretName) {
const client = new SecretsManager({ region: 'us-east-1' });
const response = await client.getSecretValue({ SecretId: secretName });
return JSON.parse(response.SecretString);
}
// HashiCorp Vault
const vault = require('node-vault')({
endpoint: process.env.VAULT_ADDR,
token: process.env.VAULT_TOKEN
});
async function getVaultSecret(path) {
const { data } = await vault.read(path);
return data.data;
}
# 1. Immediately revoke the secret
# - AWS: IAM console -> Delete access key
# - GitHub: Settings -> Developer settings -> Delete token
# - Stripe: Dashboard -> API keys -> Roll key
# 2. Remove from git history
git filter-branch --force --index-filter \
"git rm --cached --ignore-unmatch path/to/secret/file" \
--prune-empty --tag-name-filter cat -- --all
# Or use BFG Repo-Cleaner (faster)
bfg --delete-files secret-file.txt
bfg --replace-text secrets.txt
# 3. Force push (coordinate with team!)
git push origin --force --all
git push origin --force --tags
# 4. Audit for unauthorized access
# Check service logs for the compromised credential
# 5. Generate new secret and update references
npx claudepluginhub latestaiagents/agent-skills --plugin security-guardianThis skill should be used when the user asks to "find hardcoded secrets", "audit for credential leaks", "check for API keys in code", "review secret scanning alerts", "rotate a leaked secret", or needs to detect hardcoded credentials, review secret handling patterns, or remediate exposed secrets.
Scans repositories for leaked secrets, API keys, and credentials using gitleaks. Blocks commits that contain secrets via a pre-commit hook.
Scans source code for hardcoded secrets, API keys, and credentials; classifies risk severity; checks .gitignore and git history; enforces credential externalization.