Secrets Leak Scanner

Scan a codebase or set of files for hardcoded credentials, API keys, and secrets that should never be committed to version control.

What This Skill Does

Searches across all tracked files for patterns that match known credential formats:

• API keys: Anthropic (sk-ant-), OpenAI (sk-), Stripe (sk_live_/sk_test_)
• Cloud keys: AWS access keys (AKIA), GitHub tokens (ghp_, gho_, ghs_)
• Auth tokens: Bearer tokens, JWTs, PEM private key blocks
• Connection strings: Database URLs with embedded passwords
• Environment assignments: SECRET=, API_KEY=, PASSWORD=, TOKEN= with long values

How to Use

Invoke this skill with a target directory or list of files to scan:

Scan ./src for any hardcoded secrets or credentials.

Or with specific files:

Check these files for leaked keys: .env.backup, scripts/deploy.sh, config/legacy.js

Output Format

Each finding is reported as:

[SEVERITY] path/to/file.ext:LINE_NUMBER — Description of what was found
  Pattern: <pattern type> (<provider>)
  Action: <recommended remediation>

Severity levels: CRITICAL, HIGH, MEDIUM, LOW

After Scanning

For each finding:

1. Rotate the credential immediately — treat it as compromised
2. Remove from git history using git filter-repo or BFG Repo Cleaner
3. Add to .gitignore if it was an accidentally committed file
4. Use a secrets manager (AWS Secrets Manager, Vault, 1Password) for the replacement

Rules

• Never print the actual secret value in the report — only the pattern type and location
• Always include the file path and line number for each finding
• Group findings by severity (CRITICAL first)
• Include a summary count at the end
• Recommend immediate rotation for any CRITICAL or HIGH finding

Attribution

Part of the SkillSlap security toolkit. For questions or improvements, visit skillslap.com.