is designed to safeguard repositories by identifying hardcoded sensitive information such as API keys, database credentials, and authentication tokens before they are committed or after they have been accidentally pushed to history.
When to Use
Pre-commit Checks
Run this skill before committing changes to ensure no secrets are being introduced.
CI/CD Pipelines
Integrate into automated pipelines to block builds that contain plain-text secrets.
Legacy Audits
Use with
scan_history: true
to perform a deep audit of a project's entire history to find secrets that were deleted but still exist in git logs.
When NOT to Use
Production Logs
This tool is for source code and config files; it is not optimized for scanning terabytes of runtime logs.
Binary Files
It will not effectively detect secrets inside compiled binaries or encrypted blobs.
Input and Output Examples
Input
directory_path
:
"./config"
scan_history
:
false
Output
{
"leaks"
:
[
{
"file"
:
"config/production.yaml"
,
"line"
:
45
,
"type"
:
"Stripe Secret Key"
,
"risk_level"
:
"critical"
,
"snippet"
:
"sk_live_****"
}
]
}
Error Conditions and Edge Cases
False Positives
High-entropy strings in test data or encrypted hashes may be flagged as secrets.
Git Repository Required
If
scan_history
is true, the target directory must be a valid git repository.
Permission Denied
The skill will fail if it lacks read permissions for specific files or the
.git
directory.
Security and Data-Handling Considerations
No Persistence
This skill does not store the secrets it finds.
Masking
Output snippets are masked to prevent the tool itself from becoming a source of leaks in logs or terminal history.
Local Execution
The skill runs locally and does not phone home or upload code to third-party services.