Secrets Scanner

Name: Secrets Scanner
Rating: 4.8 (18200 reviews)
Author: secret-guard

Find leaked API keys and credentials before they cause a breach

Beginner5 min

engineering/ScanningUpdated Mar 12, 2026

Software EngineerDevOps Engineer

terminal

claude install community/secrets-scanner

This install command is a placeholder. The real source repo for this skill is still being verified.

by secret-guard

About this skill

Deep secrets detection that catches API keys, tokens, passwords, and private keys with minimal false positives. Integrates as pre-commit hook.

Capabilities

file editing
code execution

Use cases

Secret detection
Pre-commit checks
Security audits

Skill Definition

This is the actual SKILL.md file that powers this skill. Copy it to install.

SKILL.md

---
name: secrets-scanner
description: |
  Trigger on "scan for secrets", "check for leaks", "find API keys",
  "security scan", or as a pre-commit check. Scans code for leaked
  credentials with minimal false positives.
allowed-tools:
  - Bash(command *)
  - Read
  - Grep
  - Glob
---

# Secrets Scanner

Scan code for leaked secrets: API keys, tokens, passwords, and credentials.
Pre-commit hook compatible with low false-positive rate.

## Prerequisites

- Git repository (for pre-commit hook integration)
- Access to file system for scanning

## Patterns Detected

1. **API Keys** - AWS, GCP, Azure, Stripe, Twilio, SendGrid, etc.
2. **Tokens** - JWT, OAuth, GitHub, GitLab, npm tokens
3. **Passwords** - Hardcoded password strings in config files
4. **Private keys** - RSA, SSH, PGP private key blocks
5. **Connection strings** - Database URLs with credentials
6. **Cloud credentials** - AWS access keys, GCP service account JSON

## Steps

1. **Scan the repository:**
   ```bash
   # Check for common secret patterns
   grep -rn --include="*.{ts,js,py,go,rb,java,yaml,yml,json,env,toml}" \
     -E "(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9]{48}|ghp_[a-zA-Z0-9]{36}|password\s*=\s*['"][^'"]+['"])" \
     --exclude-dir={node_modules,.git,vendor,dist,build} .
   ```

2. **Check .env files:**
   ```bash
   find . -name ".env*" -not -name ".env.example" -exec echo "WARNING: {}" \;
   ```

3. **Verify .gitignore coverage:**
   ```bash
   # Ensure sensitive files are gitignored
   for f in .env .env.local .env.production credentials.json service-account.json; do
     git check-ignore "$f" 2>/dev/null || echo "NOT IGNORED: $f"
   done
   ```

4. **For each finding:**
   - Classify: TRUE positive or FALSE positive
   - If true: recommend moving to environment variable
   - If the secret was ever committed: recommend rotating it immediately
   - Add the file pattern to .gitignore

5. **Pre-commit hook setup:**
   ```bash
   # Add to .git/hooks/pre-commit or .pre-commit-config.yaml
   # Runs before every commit to catch secrets early
   ```

## False Positive Reduction

- Ignore test fixtures and mock data
- Skip example/placeholder values (YOUR_API_KEY, xxx, test123)
- Check file context: is this a .env.example with placeholders?

How to install

Create the skill directory and file

terminal

mkdir -p ~/.claude/skills/secrets-scanner

Copy the SKILL.md content above

file path

~/.claude/skills/secrets-scanner/SKILL.md

Resulting file structure:

~/.claude/
  skills/
    secrets-scanner/
      SKILL.md    <-- skill definition

Skills are loaded automatically by Claude Code when you start a new session. The skill name and description in the frontmatter determine when Claude triggers it.

Learn this in depth

Free courses on AI-assisted development and building agents

Trace your skill's performance

Local observability dashboard for AI tool usage