Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

rubicanjr/secret-patterns

Name: secret-patterns
Author: rubicanjr

skills/secret-patterns/SKILL.md

npx skillsauth add rubicanjr/FinCognis secret-patterns

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Secret Detection Patterns

Patterns for finding leaked credentials in codebases, git history, and CI logs.

AWS Credentials

# Access Key ID: always starts with AKIA (long-term) or ASIA (session)
AKIA[0-9A-Z]{16}
ASIA[0-9A-Z]{16}

# Secret Access Key: 40-char base64-ish string after aws_secret
aws_secret_access_key\s*=\s*[A-Za-z0-9/+=]{40}

# ripgrep one-liner
rg --no-heading -n '(AKIA|ASIA)[0-9A-Z]{16}' .

GitHub Tokens

# Personal access tokens (classic and fine-grained)
ghp_[A-Za-z0-9]{36}
github_pat_[A-Za-z0-9_]{82}

# OAuth / app tokens
gho_[A-Za-z0-9]{36}
ghs_[A-Za-z0-9]{36}
ghu_[A-Za-z0-9]{36}
ghr_[A-Za-z0-9]{36}

rg --no-heading -n 'gh[pousr]_[A-Za-z0-9]{36}' .

Stripe Keys

# Live secret (never commit)
sk_live_[A-Za-z0-9]{24,}

# Test secret (flag but lower severity)
sk_test_[A-Za-z0-9]{24,}

# Publishable keys (public, lower severity)
pk_live_[A-Za-z0-9]{24,}
pk_test_[A-Za-z0-9]{24,}

rg --no-heading -n 'sk_(live|test)_[A-Za-z0-9]{24,}' .

OpenAI / Anthropic Keys

# OpenAI
sk-proj-[A-Za-z0-9\-_]{50,}
sk-[A-Za-z0-9]{48}

# Anthropic
sk-ant-[A-Za-z0-9\-_]{90,}

rg --no-heading -n '(sk-proj-|sk-ant-)' .

JWT Tokens

# Three base64url segments separated by dots
eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+

# Decode header to verify (Python)
import base64, json
header = token.split('.')[0] + '=='
print(json.loads(base64.urlsafe_b64decode(header)))

PEM Private Keys

# RSA, EC, OpenSSH private keys
-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----

rg --no-heading -n '\-\-\-\-\-BEGIN.+PRIVATE KEY' .

# Also catch generic PEM blocks
-----BEGIN CERTIFICATE-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

Slack Tokens

xoxb-[0-9]{11,}-[0-9]{11,}-[A-Za-z0-9]{24}   # Bot token
xoxp-[0-9]{11,}-[0-9]{11,}-[A-Za-z0-9]{32}   # User token
xoxe\.[A-Za-z0-9\-_]{80,}                      # Enterprise grid
xoxs-[A-Za-z0-9\-]{80,}                        # SCIM token

rg --no-heading -n 'xox[bpse][-.]' .

Database Connection Strings

# PostgreSQL
postgres(ql)?://[^:]+:[^@]+@[^/]+/\S+
postgresql\+asyncpg://[^:]+:[^@]+@

# MongoDB
mongodb(\+srv)?://[^:]+:[^@]+@

# MySQL / MariaDB
mysql://[^:]+:[^@]+@

rg --no-heading -n '(postgres|mongodb|mysql)://\S+:\S+@' .

NPM, SendGrid, Twilio, Mailgun

# NPM publish token
npm_[A-Za-z0-9]{36}

# SendGrid
SG\.[A-Za-z0-9\-_]{22}\.[A-Za-z0-9\-_]{43}

# Twilio account SID + auth token
AC[0-9a-f]{32}                           # Account SID
SK[0-9a-f]{32}                           # API Key SID

# Mailgun API key
key-[A-Za-z0-9]{32}

rg --no-heading -n '(npm_[A-Za-z0-9]{36}|SG\.[A-Za-z0-9_-]{22}\.)' .

SSH Private Keys

-----BEGIN OPENSSH PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
-----BEGIN DSA PRIVATE KEY-----

Google Service Account JSON

// Detect the "type": "service_account" JSON pattern
rg --no-heading -n '"type"\s*:\s*"service_account"' .

// Or the private_key field
rg --no-heading -n '"private_key"\s*:\s*"-----BEGIN' .

High-Entropy String Detection (Shannon Entropy)

import math
from collections import Counter

def shannon_entropy(s: str) -> float:
    if not s:
        return 0.0
    freq = Counter(s)
    length = len(s)
    return -sum((c / length) * math.log2(c / length) for c in freq.values())

def is_high_entropy_secret(value: str, threshold: float = 4.5) -> bool:
    # Ignore short strings and common words
    if len(value) < 20:
        return False
    return shannon_entropy(value) > threshold

# Example usage
candidates = [
    "AKIAIOSFODNN7EXAMPLE",          # entropy ~4.1 (low, example key)
    "wJalrXUtnFEMI/K7MDENG/bPxRfi",  # entropy ~4.7 (real secret)
    "my-password-123",               # entropy ~3.8 (low)
]
for c in candidates:
    print(f"{c[:20]}... entropy={shannon_entropy(c):.2f} secret={is_high_entropy_secret(c)}")

False Positive Filtering Rules

FALSE_POSITIVE_PATHS = [
    r'test[s]?/',
    r'__tests__/',
    r'spec/',
    r'fixtures/',
    r'examples/',
    r'docs/',
    r'\.md$',
    r'CHANGELOG',
    r'README',
]

FALSE_POSITIVE_VALUES = [
    'example',
    'placeholder',
    'your_key_here',
    'INSERT_KEY',
    'REPLACE_ME',
    'xxxx',
    '1234',
    'test',
    'dummy',
    'fake',
]

def is_false_positive(path: str, value: str) -> bool:
    import re
    for pattern in FALSE_POSITIVE_PATHS:
        if re.search(pattern, path, re.IGNORECASE):
            return True
    lower = value.lower()
    return any(fp in lower for fp in FALSE_POSITIVE_VALUES)

Pre-commit Hook Integration

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.4
    hooks:
      - id: gitleaks

  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.63.5
    hooks:
      - id: trufflehog
        entry: trufflehog git file://. --since-commit HEAD --only-verified --fail

# Manual scan of full git history
gitleaks detect --source . --log-opts="--all"

# TruffleHog targeted scan
trufflehog git https://github.com/org/repo --only-verified

# ripgrep composite scan (fast, no install)
rg --no-heading -n \
  '(AKIA|ASIA|ghp_|sk_live_|sk-proj-|sk-ant-|xoxb-|npm_|SG\.|-----BEGIN.+PRIVATE)' \
  --glob '!{node_modules,dist,.git}' .

Key rule: Any match outside test/, docs/, or examples/ with entropy > 4.5 is a confirmed finding. Rotate immediately.

rubicanjr/secret-patterns

skills/secret-patterns/SKILL.md

30+ service-specific secret detection regex patterns, entropy-based detection, PEM/JWT/Base64 identification, and false positive filtering.

testing

Updated Apr 24, 2026

$ install --global

skillsauth

npx skillsauth add rubicanjr/FinCognis secret-patterns

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 6:47 AM177.4s1 file scanned

SKILL.md

name:: secret-patterns
description:: 30+ service-specific secret detection regex patterns, entropy-based detection, PEM/JWT/Base64 identification, and false positive filtering.

Secret Detection Patterns

Patterns for finding leaked credentials in codebases, git history, and CI logs.

AWS Credentials

# Access Key ID: always starts with AKIA (long-term) or ASIA (session)
AKIA[0-9A-Z]{16}
ASIA[0-9A-Z]{16}

# Secret Access Key: 40-char base64-ish string after aws_secret
aws_secret_access_key\s*=\s*[A-Za-z0-9/+=]{40}

# ripgrep one-liner
rg --no-heading -n '(AKIA|ASIA)[0-9A-Z]{16}' .

GitHub Tokens

# Personal access tokens (classic and fine-grained)
ghp_[A-Za-z0-9]{36}
github_pat_[A-Za-z0-9_]{82}

# OAuth / app tokens
gho_[A-Za-z0-9]{36}
ghs_[A-Za-z0-9]{36}
ghu_[A-Za-z0-9]{36}
ghr_[A-Za-z0-9]{36}

rg --no-heading -n 'gh[pousr]_[A-Za-z0-9]{36}' .

Stripe Keys

# Live secret (never commit)
sk_live_[A-Za-z0-9]{24,}

# Test secret (flag but lower severity)
sk_test_[A-Za-z0-9]{24,}

# Publishable keys (public, lower severity)
pk_live_[A-Za-z0-9]{24,}
pk_test_[A-Za-z0-9]{24,}

rg --no-heading -n 'sk_(live|test)_[A-Za-z0-9]{24,}' .

OpenAI / Anthropic Keys

# OpenAI
sk-proj-[A-Za-z0-9\-_]{50,}
sk-[A-Za-z0-9]{48}

# Anthropic
sk-ant-[A-Za-z0-9\-_]{90,}

rg --no-heading -n '(sk-proj-|sk-ant-)' .

JWT Tokens

# Three base64url segments separated by dots
eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+

# Decode header to verify (Python)
import base64, json
header = token.split('.')[0] + '=='
print(json.loads(base64.urlsafe_b64decode(header)))

PEM Private Keys

# RSA, EC, OpenSSH private keys
-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----

rg --no-heading -n '\-\-\-\-\-BEGIN.+PRIVATE KEY' .

# Also catch generic PEM blocks
-----BEGIN CERTIFICATE-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

Slack Tokens

xoxb-[0-9]{11,}-[0-9]{11,}-[A-Za-z0-9]{24}   # Bot token
xoxp-[0-9]{11,}-[0-9]{11,}-[A-Za-z0-9]{32}   # User token
xoxe\.[A-Za-z0-9\-_]{80,}                      # Enterprise grid
xoxs-[A-Za-z0-9\-]{80,}                        # SCIM token

rg --no-heading -n 'xox[bpse][-.]' .

Database Connection Strings

# PostgreSQL
postgres(ql)?://[^:]+:[^@]+@[^/]+/\S+
postgresql\+asyncpg://[^:]+:[^@]+@

# MongoDB
mongodb(\+srv)?://[^:]+:[^@]+@

# MySQL / MariaDB
mysql://[^:]+:[^@]+@

rg --no-heading -n '(postgres|mongodb|mysql)://\S+:\S+@' .

NPM, SendGrid, Twilio, Mailgun

# NPM publish token
npm_[A-Za-z0-9]{36}

# SendGrid
SG\.[A-Za-z0-9\-_]{22}\.[A-Za-z0-9\-_]{43}

# Twilio account SID + auth token
AC[0-9a-f]{32}                           # Account SID
SK[0-9a-f]{32}                           # API Key SID

# Mailgun API key
key-[A-Za-z0-9]{32}

rg --no-heading -n '(npm_[A-Za-z0-9]{36}|SG\.[A-Za-z0-9_-]{22}\.)' .

SSH Private Keys

-----BEGIN OPENSSH PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
-----BEGIN DSA PRIVATE KEY-----

Google Service Account JSON

// Detect the "type": "service_account" JSON pattern
rg --no-heading -n '"type"\s*:\s*"service_account"' .

// Or the private_key field
rg --no-heading -n '"private_key"\s*:\s*"-----BEGIN' .

High-Entropy String Detection (Shannon Entropy)

import math
from collections import Counter

def shannon_entropy(s: str) -> float:
    if not s:
        return 0.0
    freq = Counter(s)
    length = len(s)
    return -sum((c / length) * math.log2(c / length) for c in freq.values())

def is_high_entropy_secret(value: str, threshold: float = 4.5) -> bool:
    # Ignore short strings and common words
    if len(value) < 20:
        return False
    return shannon_entropy(value) > threshold

# Example usage
candidates = [
    "AKIAIOSFODNN7EXAMPLE",          # entropy ~4.1 (low, example key)
    "wJalrXUtnFEMI/K7MDENG/bPxRfi",  # entropy ~4.7 (real secret)
    "my-password-123",               # entropy ~3.8 (low)
]
for c in candidates:
    print(f"{c[:20]}... entropy={shannon_entropy(c):.2f} secret={is_high_entropy_secret(c)}")

False Positive Filtering Rules

FALSE_POSITIVE_PATHS = [
    r'test[s]?/',
    r'__tests__/',
    r'spec/',
    r'fixtures/',
    r'examples/',
    r'docs/',
    r'\.md$',
    r'CHANGELOG',
    r'README',
]

FALSE_POSITIVE_VALUES = [
    'example',
    'placeholder',
    'your_key_here',
    'INSERT_KEY',
    'REPLACE_ME',
    'xxxx',
    '1234',
    'test',
    'dummy',
    'fake',
]

def is_false_positive(path: str, value: str) -> bool:
    import re
    for pattern in FALSE_POSITIVE_PATHS:
        if re.search(pattern, path, re.IGNORECASE):
            return True
    lower = value.lower()
    return any(fp in lower for fp in FALSE_POSITIVE_VALUES)

Pre-commit Hook Integration

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.4
    hooks:
      - id: gitleaks

  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.63.5
    hooks:
      - id: trufflehog
        entry: trufflehog git file://. --since-commit HEAD --only-verified --fail

# Manual scan of full git history
gitleaks detect --source . --log-opts="--all"

# TruffleHog targeted scan
trufflehog git https://github.com/org/repo --only-verified

# ripgrep composite scan (fast, no install)
rg --no-heading -n \
  '(AKIA|ASIA|ghp_|sk_live_|sk-proj-|sk-ant-|xoxb-|npm_|SG\.|-----BEGIN.+PRIVATE)' \
  --glob '!{node_modules,dist,.git}' .

Key rule: Any match outside test/, docs/, or examples/ with entropy > 4.5 is a confirmed finding. Rotate immediately.

Related Skills

rubicanjr/workflow-router

development

VerifiedTrustedCommunity

Goal-based workflow orchestration - routes tasks to specialist agents based on user goals

SKILL.mdUpdated Apr 24, 2026

rubicanjr/workflow-router

rubicanjr/wiring

tools

VerifiedTrustedCommunity

Wiring Verification

SKILL.mdUpdated Apr 24, 2026

rubicanjr/websocket-patterns

development

VerifiedTrustedCommunity

Connection management, room patterns, reconnection strategies, message buffering, and binary protocol design.

SKILL.mdUpdated Apr 24, 2026

rubicanjr/websocket-patterns

rubicanjr/visual-verdict

development

VerifiedTrustedCommunity

Screenshot comparison QA for frontend development. Takes a screenshot of the current implementation, scores it across multiple visual dimensions, and returns a structured PASS/REVISE/FAIL verdict with concrete fixes. Use when implementing UI from a design reference or verifying visual correctness.

SKILL.mdUpdated Apr 24, 2026

rubicanjr/visual-verdict

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/rubicanjr/FinCognis.git

# Copy into Claude Code skills folder (global)
cp -r FinCognis/skills/secret-patterns ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

rubicanjr/FinCognis

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT