robotti-io/secrets-and-logging-hygiene
skills/secrets-and-logging-hygiene/SKILL.md
Workflow for preventing secret leaks and sensitive logging (PII/credentials) and adding redaction defaults.
$ install --global
skillsauthnpx skillsauth add robotti-io/copilot-security-instructions secrets-and-logging-hygieneInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 10:56 PM5.2s1 file scanned
SKILL.md
- name:
- secrets-and-logging-hygiene
- description:
- Workflow for preventing secret leaks and sensitive logging (PII/credentials) and adding redaction defaults.
Secrets and Logging Hygiene
When to use
Use this skill when asked to scan for secrets, harden logging, or reduce sensitive data exposure.
Inputs to collect (if available)
- Data classification (PII, auth/session, payments)
- Logging/telemetry stack (logger, APM, sinks)
- Secret management approach (vault, env injection, KMS)
- Incident/audit requirements (retention, access controls)
Step-by-step process
- Identify sensitive data
- Credentials, tokens, API keys, connection strings
- PII (emails, phone, addresses), financial identifiers
- Locate sources and sinks
- Sources: env, config, secrets managers, request payloads
- Sinks: logs, telemetry, error pages, analytics, support dumps
- Harden logging
- Default to structured logs
- Redact known patterns (Authorization headers, cookies, tokens)
- Avoid logging full request/response bodies by default
- Prevent secret introduction
- Replace hardcoded strings with env/secret manager references
- Add guardrails: git hooks, CI secret scanning, unit tests for redaction
- Verify
- Add tests ensuring redaction occurs
- Run a lightweight grep for common secret patterns and known keys
Output
- List of leak points found (if any)
- Recommended redaction policy + implementation location
- Tests and verification steps
Repo integration (optional)
Related prompts:
check-for-secrets.prompt.mdassess-logging.prompt.md
Output format
- Leak points found (table): Type | Where | Evidence | Risk
- Redaction policy: defaults + allow-listed fields
- Guardrails: CI secret scanning, pre-commit, tests
- Verification: how to confirm redaction and rotation
Examples
- “Authorization header logged” → redact
Authorizationand cookies by default; verify logs no longer contain bearer tokens.
Related Skills
robotti-io/threat-model
tools
VerifiedTrustedCommunity
Threat model a system, feature, service, or PR using Shostack's 4Q workflow, evidence-first analysis, risk scoring, and CLI-friendly Mermaid helper scripts.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/access-control-review
testing
VerifiedTrustedCommunity
Analyze repository-grounded identity, access control, and authorization design with evidence-first reporting and script-validated Mermaid diagrams.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/threat-model
tools
VerifiedTrustedCommunity
Threat model a system, feature, service, or PR using Shostack's 4Q workflow, evidence-first analysis, risk scoring, and CLI-friendly Mermaid helper scripts.
39SKILL.mdUpdated Apr 19, 2026
robotti-io/dependency-cve-triage
content-media
VerifiedTrustedCommunity
Triage a dependency CVE using local repo evidence and remediation guidance.
39SKILL.mdUpdated Apr 19, 2026