38 lines
1.6 KiB
Markdown
38 lines
1.6 KiB
Markdown
---
|
|
allowed-tools: Read, Bash, Grep, Glob
|
|
argument-hint: [scope] | --api-keys | --passwords | --certificates | --fix
|
|
description: Scan codebase for exposed secrets, credentials, and sensitive information
|
|
---
|
|
|
|
# Secrets Scanner
|
|
|
|
Scan codebase for exposed secrets and sensitive information: **$ARGUMENTS**
|
|
|
|
## Current Repository State
|
|
|
|
- Git status: !`git status --porcelain | wc -l` uncommitted files
|
|
- File types: !`find . -name "*.js" -o -name "*.py" -o -name "*.env*" -o -name "*.yml" | wc -l` scannables
|
|
- Recent commits: !`git log --oneline --grep="password\|key\|secret\|token" -5`
|
|
- Environment files: @.env* or @config/* (if exists)
|
|
|
|
## Task
|
|
|
|
Perform comprehensive secrets detection and remediation across codebase:
|
|
|
|
**Scan Scope**: Use $ARGUMENTS to focus on API keys, passwords, certificates, or complete scan
|
|
|
|
**Detection Categories**:
|
|
1. **API Keys & Tokens** - GitHub, AWS, Google Cloud, Stripe, third-party services
|
|
2. **Database Credentials** - Connection strings, usernames, passwords
|
|
3. **Certificates & Keys** - Private keys, SSH keys, SSL certificates
|
|
4. **Authentication Secrets** - JWT secrets, session keys, OAuth credentials
|
|
5. **Configuration Leaks** - Hardcoded URLs, internal endpoints, debug settings
|
|
|
|
**Remediation Actions**:
|
|
- Identify exposed secrets with file locations and line numbers
|
|
- Provide secure alternatives (environment variables, secret management)
|
|
- Generate .gitignore entries for sensitive files
|
|
- Create secure configuration templates
|
|
- Implement secrets management best practices
|
|
|
|
**Output**: Detailed security report with risk levels, immediate actions, and long-term security improvements. |