Stats
Actions
Tags
From security-toolkit
Investigate GitHub secret scanning alerts to trace provenance, gather context, assess risk, and produce a structured report for security professionals. Handles one or more alerts in a single investigation using only open-source tools.
How this skill is triggered — by the user, by Claude, or both
Slash command
/security-toolkit:secret-scanning-investigatorThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
---
LICENSEREADME.mdreferences/actions/github-issue.mdreferences/actions/history-cleanup.mdreferences/actions/permissions.mdreferences/actions/prevention.mdreferences/actions/resolve-alert.mdreferences/actions/rotation-guides.mdreferences/actions/sarif-output.mdreferences/actions/timeline-csv.mdreferences/phases/phase-0-setup.mdreferences/phases/phase-0.5-permissions.mdreferences/phases/phase-1-triage.mdreferences/phases/phase-7-risk.mdreferences/phases/phases-2-6-investigation.mdreferences/report-template.mdreferences/sub-agents/block-a.mdreferences/sub-agents/block-b.mdDO NOT make assumptions or guesses. All reported information must be:
When providing estimates or possibilities (e.g., in risk assessment):
Any action that modifies state requires explicit safeguards:
Actions requiring double-confirmation:
Permitted without confirmation:
/tmpThis skill uses parallel sub-agents to accelerate investigation:
Phase 0: Tool Check (sequential)
|
Phase 0.5: Permission Pre-Approval (sequential - user interaction)
|
Phase 1: Mode Selection (sequential - user interaction)
|
+-----------------------------------------------------------+
| PARALLEL BLOCK A |
| Agent A1: Alert Acquisition -> Full alert + locations |
| Agent A2: Repository Clone -> Clone + file history |
| Agent A3: Commit/PR Context -> Author, PR, issues |
+-----------------------------------------------------------+
| (wait for all)
+-----------------------------------------------------------+
| PARALLEL BLOCK B |
| Agent B1: TruffleHog Scan -> Detection + verify |
| Agent B2: Gitleaks Scan -> Cross-validate + SARIF |
| Agent B3: Entropy Analysis -> Shannon entropy |
| Agent B4: Service Analysis -> GitHub App / token |
+-----------------------------------------------------------+
| (wait for all)
Phase 6.2: Active Verification (requires confirmation)
|
Phase 7: Risk Assessment (synthesis)
|
Phase 8: Report & Actions (user interaction)
Use the Task tool to launch parallel agents:
# Launch Parallel Block A (all three in single message)
<Task tool call 1: subagent_type="Explore", prompt="...", run_in_background=true>
<Task tool call 2: subagent_type="Explore", prompt="...", run_in_background=true>
<Task tool call 3: subagent_type="Explore", prompt="...", run_in_background=true>
READ: references/sub-agents/block-a.md for Agent A1-A3 prompts.
READ: references/sub-agents/block-b.md for Agent B1-B4 prompts and coordinator.
All agents write findings to /tmp/secret-scan-{alert_number}/:
alert.json (Agent A1)
provenance.json (Agent A2)
context.json (Agent A3)
trufflehog.json (Agent B1)
gitleaks.json (Agent B2)
entropy.json (Agent B3)
service.json (Agent B4)
The coordinator reads all artifacts ONCE during synthesis phase.
Verify required tools (gh, git) and offer to install optional tools (trufflehog, gitleaks, ggshield).
READ: references/phases/phase-0-setup.md for tool check details and installation commands.
Present all read-only commands upfront for batch approval to minimize interruptions.
READ: references/phases/phase-0.5-permissions.md for permission request format.
Fetch basic alert details and require user to select PASSIVE or ACTIVE mode.
READ: references/phases/phase-1-triage.md for mode selection prompts.
Deep investigation including alert acquisition, multi-tool scanning, provenance tracing, and secret-specific analysis.
READ: references/phases/phases-2-6-investigation.md for detailed procedures.
Evaluate risk factors and produce overall rating (CRITICAL/HIGH/MEDIUM/LOW).
READ: references/phases/phase-7-risk.md for risk criteria and assessment format.
After investigation completes, generate comprehensive report.
READ: references/report-template.md for the full report structure.
===============================================================
INVESTIGATION COMPLETE
===============================================================
Investigation Mode: {ACTIVE/PASSIVE}
Alerts Analyzed: {count}
Risk Rating: {CRITICAL/HIGH/MEDIUM/LOW}
OUTPUT OPTIONS:
1. Display report here
2. Save report to local file
3. Display and save
ADDITIONAL ACTIONS AVAILABLE:
4. Resolve alert(s) on GitHub
5. Generate SARIF output for security dashboard
6. Generate history cleanup commands
7. Generate prevention recommendations (pre-commit hooks, CI/CD)
8. Check for public leaks (requires ggshield)
9. Create GitHub issue with findings
10. Export timeline as CSV
11. Generate permanent permissions (settings.json)
Which options would you like? (comma-separated, e.g., "1,4,6"):
Each action has detailed implementation guidance:
| Option | Action | Reference |
|---|---|---|
| 4 | Resolve Alert | references/actions/resolve-alert.md |
| 5 | SARIF Output | references/actions/sarif-output.md |
| 6 | History Cleanup | references/actions/history-cleanup.md |
| 7 | Prevention | references/actions/prevention.md |
| 8 | Public Leak Check | Uses ggshield (inline) |
| 9 | GitHub Issue | references/actions/github-issue.md |
| 10 | Timeline CSV | references/actions/timeline-csv.md |
| 11 | Permissions | references/actions/permissions.md |
READ: references/actions/rotation-guides.md for credential rotation instructions.
When multiple alerts are provided:
| Error | Handling |
|---|---|
| Alert not found | Report error, continue with other alerts if batch |
| Insufficient permissions | Document limitation, use available data, note in report |
| Clone fails | Fall back to API-based history, note limitation |
| Tool not available | Skip that analysis, note in report what was missed |
| Rate limiting | Wait and retry with backoff, or document incomplete analysis |
| Active verification refused | Fall back to passive analysis for that secret |
| Tool | Required | Purpose | License | Install |
|---|---|---|---|---|
gh | Yes | GitHub API access | MIT | brew install gh |
git | Yes | History analysis | GPL-2.0 | Pre-installed |
trufflehog | No | Verification, analysis | Apache-2.0 | brew install trufflehog |
gitleaks | No | Cross-validation, SARIF | MIT | brew install gitleaks |
ggshield | No | Public leak check | MIT | pip install ggshield |
python3 | No | Entropy calculation | PSF | Pre-installed |
All optional tools are free and open-source.
# Single alert by URL
"Investigate https://github.com/org/repo/security/secret-scanning/19"
# Single alert by components
"Investigate secret scanning alert #19 in org/repo"
# Multiple alerts
"Investigate secret scanning alerts #19, #20, #21 in org/repo"
# All open alerts in repo
"Investigate all open secret scanning alerts in org/repo"
# Organization-wide
"Investigate all critical secret scanning alerts in the org organization"
npx claudepluginhub swannysec/robot-tools --plugin security-toolkitThis skill should be used when the user asks to "triage security findings", "fix a Checkmarx finding", "review SonarCloud results", "dismiss a false positive", "check code scanning alerts", or needs to work with GitHub Advanced Security alerts, scanner annotations on PRs, or Grype vulnerability results.
Triages compromised GitHub Actions supply chain attacks with interactive checklists, full runbooks, or shell scripts for exposure checks, log audits, secret rotation, and remediation.
Scans repositories for leaked secrets, API keys, and credentials using gitleaks. Blocks commits that contain secrets via a pre-commit hook.