Files
wehub-resource-sync bb5c75ce05
Component Security Validation / Security Audit (push) Has been cancelled
Deploy to Cloudflare Pages / deploy (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:38:58 +08:00

1.6 KiB


allowed-tools: Read, Bash, Grep, Glob argument-hint: [scope] | --api-keys | --passwords | --certificates | --fix description: Scan codebase for exposed secrets, credentials, and sensitive information

Secrets Scanner

Scan codebase for exposed secrets and sensitive information: $ARGUMENTS

Current Repository State

  • Git status: !git status --porcelain | wc -l uncommitted files
  • File types: !find . -name "*.js" -o -name "*.py" -o -name "*.env*" -o -name "*.yml" | wc -l scannables
  • Recent commits: !git log --oneline --grep="password\|key\|secret\|token" -5
  • Environment files: @.env* or @config/* (if exists)

Task

Perform comprehensive secrets detection and remediation across codebase:

Scan Scope: Use $ARGUMENTS to focus on API keys, passwords, certificates, or complete scan

Detection Categories:

  1. API Keys & Tokens - GitHub, AWS, Google Cloud, Stripe, third-party services
  2. Database Credentials - Connection strings, usernames, passwords
  3. Certificates & Keys - Private keys, SSH keys, SSL certificates
  4. Authentication Secrets - JWT secrets, session keys, OAuth credentials
  5. Configuration Leaks - Hardcoded URLs, internal endpoints, debug settings

Remediation Actions:

  • Identify exposed secrets with file locations and line numbers
  • Provide secure alternatives (environment variables, secret management)
  • Generate .gitignore entries for sensitive files
  • Create secure configuration templates
  • Implement secrets management best practices

Output: Detailed security report with risk levels, immediate actions, and long-term security improvements.