alirezarezvani/secret-scanner
skills/security/secret-scanner/SKILL.md
Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.
$ install --global
skillsauthnpx skillsauth add alirezarezvani/claude-code-tresor secret-scannerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 3:33 PM4.3s2 files scanned
SKILL.md
- name:
- secret-scanner
- description:
- Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.
- allowed-tools:
- Read, Grep
Secret Scanner Skill
Prevent accidental secret exposure in your codebase.
When I Activate
- ✅ Before git commits
- ✅ Files modified/saved
- ✅ User mentions secrets, keys, or credentials
- ✅ .env files changed
- ✅ Configuration files modified
What I Detect
API Keys & Tokens
- AWS access keys (AKIA...)
- Stripe API keys (sk_live_..., pk_live_...)
- GitHub tokens (ghp_...)
- Google API keys
- OAuth tokens
- JWT secrets
Database Credentials
- Database connection strings
- MySQL/PostgreSQL passwords
- MongoDB connection URIs
- Redis passwords
Private Keys
- SSH private keys
- RSA/DSA keys
- PGP/GPG keys
- SSL certificates
Authentication Secrets
- Password variables
- Auth tokens
- Session secrets
- Encryption keys
Alert Examples
API Key Detection
// You type:
const apiKey = 'sk_live_1234567890abcdef';
// I immediately alert:
🚨 CRITICAL: Exposed Stripe API key detected!
📍 File: config.js, Line 3
🔧 Fix: Use environment variables
const apiKey = process.env.STRIPE_API_KEY;
📖 Add to .gitignore: .env
AWS Credentials
# You type:
aws_access_key = "AKIAIOSFODNN7EXAMPLE"
# I alert:
🚨 CRITICAL: AWS access key exposed!
📍 File: aws_config.py, Line 1
🔧 Fix: Use AWS credentials file or environment variables
aws_access_key = os.getenv("AWS_ACCESS_KEY_ID")
📖 Never commit AWS credentials
Database Password
# You type in docker-compose.yml:
environment:
DB_PASSWORD: "mySecretPassword123"
# I alert:
🚨 CRITICAL: Database password in configuration file!
📍 File: docker-compose.yml, Line 5
🔧 Fix: Use .env file
DB_PASSWORD: ${DB_PASSWORD}
📖 Add .env to .gitignore
Detection Patterns
Pattern Types
High Confidence:
- Known API key formats (Stripe, AWS, etc.)
- Private key headers
- JWT tokens
- Connection strings with credentials
Medium Confidence:
- Variables named "password", "secret", "key"
- Base64 encoded strings in sensitive contexts
- Long random strings in assignments
Low Confidence (Flagged for Review):
- Generic secret patterns
- Potential credentials in comments
Git Integration
Pre-Commit Protection
# Before commit, I scan:
git add .
git commit
# I block if secrets found:
🚨 CRITICAL: Cannot commit - secrets detected!
📍 3 secrets found:
- config.js:12 - API key
- .env:5 - Database password (in gitignore - OK)
- auth.js:45 - JWT secret
❌ Commit blocked - remove secrets first
.gitignore Validation
I check if sensitive files are in .gitignore:
✅ .env - In .gitignore (good)
⚠️ config/secrets.json - NOT in .gitignore (add it!)
✅ .aws/credentials - In .gitignore (good)
False Positive Handling
Example Files
// I understand these are examples:
// Example: const apiKey = 'your_api_key_here';
// TODO: Add your API key from environment
Test Files
// Test fixtures are OK (but flagged for review):
const mockApiKey = 'sk_test_1234567890abcdef'; // ✅ Test key
Documentation
<!-- Documentation examples are flagged but low priority -->
Set your API key: `export API_KEY=your_key_here`
Relationship with security-auditor
secret-scanner (me): Exposed secrets and credentials security-auditor: Code vulnerability patterns
Together
secret-scanner: Finds hardcoded API key
security-auditor: Finds how the key is used insecurely
Combined: Complete security picture
Quick Fixes
Move to Environment Variables
// Before:
const apiKey = 'sk_live_abc123';
// After:
const apiKey = process.env.API_KEY;
// .env file (add to .gitignore):
API_KEY=sk_live_abc123
Use Secret Management
// AWS Secrets Manager
const AWS = require('aws-sdk');
const secrets = new AWS.SecretsManager();
const secret = await secrets.getSecretValue({ SecretId: 'myApiKey' }).promise();
Configuration Files
# docker-compose.yml
services:
app:
environment:
- API_KEY=${API_KEY} # From .env file
# .env (gitignored)
API_KEY=sk_live_abc123
Sandboxing Compatibility
Works without sandboxing: ✅ Yes (recommended) Works with sandboxing: ✅ Yes
- Filesystem: Read-only access
- Network: None required
- Configuration: None required
Customization
Add company-specific secret patterns:
cp -r ~/.claude/skills/security/secret-scanner \
~/.claude/skills/security/company-secret-scanner
# Edit SKILL.md to add:
# - Internal API key formats
# - Company-specific secret patterns
# - Custom detection rules
Best Practices
- Never commit secrets - Use environment variables
- Use .gitignore - Add .env, secrets.json, etc.
- Rotate exposed secrets - If committed, rotate immediately
- Use secret management - AWS Secrets Manager, HashiCorp Vault
- Audit regularly - Review code for exposed secrets
Emergency Response
If Secret Committed
- Rotate the secret immediately
- Remove from git history
git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch config/secrets.json" \ --prune-empty --tag-name-filter cat -- --all - Force push (coordinate with team)
- Update all deployments with new secret
Related Tools
- security-auditor skill: Vulnerability detection
- @code-reviewer sub-agent: Security review
- /review command: Comprehensive security check
Related Skills
alirezarezvani/security-auditor
development
VerifiedTrustedCommunity
Continuous security vulnerability scanning for OWASP Top 10, common vulnerabilities, and insecure patterns. Use when reviewing code, before deployments, or on file changes. Scans for SQL injection, XSS, secrets exposure, auth issues. Triggers on file changes, security mentions, deployment prep.
662SKILL.mdUpdated Apr 3, 2026
alirezarezvani/dependency-auditor
testing
VerifiedTrustedCommunity
Check dependencies for known vulnerabilities using npm audit, pip-audit, etc. Use when package.json or requirements.txt changes, or before deployments. Alerts on vulnerable dependencies. Triggers on dependency file changes, deployment prep, security mentions.
662SKILL.mdUpdated Apr 3, 2026
alirezarezvani/readme-updater
development
VerifiedTrustedCommunity
Keep README files current with project changes. Use when project structure changes, features added, or setup instructions modified. Suggests README updates based on code changes. Triggers on significant project changes, new features, dependency changes.
662SKILL.mdUpdated Apr 3, 2026
alirezarezvani/api-documenter
development
VerifiedTrustedCommunity
Auto-generate API documentation from code and comments. Use when API endpoints change, or user mentions API docs. Creates OpenAPI/Swagger specs from code. Triggers on API file changes, documentation requests, endpoint additions.
662SKILL.mdUpdated Apr 3, 2026