1.6 KiB
1.6 KiB
allowed-tools: Read, Bash, Grep, Glob argument-hint: [scope] | --api-keys | --passwords | --certificates | --fix description: Scan codebase for exposed secrets, credentials, and sensitive information
Secrets Scanner
Scan codebase for exposed secrets and sensitive information: $ARGUMENTS
Current Repository State
- Git status: !
git status --porcelain | wc -luncommitted files - File types: !
find . -name "*.js" -o -name "*.py" -o -name "*.env*" -o -name "*.yml" | wc -lscannables - Recent commits: !
git log --oneline --grep="password\|key\|secret\|token" -5 - Environment files: @.env* or @config/* (if exists)
Task
Perform comprehensive secrets detection and remediation across codebase:
Scan Scope: Use $ARGUMENTS to focus on API keys, passwords, certificates, or complete scan
Detection Categories:
- API Keys & Tokens - GitHub, AWS, Google Cloud, Stripe, third-party services
- Database Credentials - Connection strings, usernames, passwords
- Certificates & Keys - Private keys, SSH keys, SSL certificates
- Authentication Secrets - JWT secrets, session keys, OAuth credentials
- Configuration Leaks - Hardcoded URLs, internal endpoints, debug settings
Remediation Actions:
- Identify exposed secrets with file locations and line numbers
- Provide secure alternatives (environment variables, secret management)
- Generate .gitignore entries for sensitive files
- Create secure configuration templates
- Implement secrets management best practices
Output: Detailed security report with risk levels, immediate actions, and long-term security improvements.