Secrets Scan Deep detection of hardcoded credentials and sensitive data in source code. Quick Start /secrets-scan # Scan current directory /secrets-scan --scope src/ # Scan specific path /secrets-scan --entropy # Include high-entropy detection /secrets-scan --git-history # Check git commit history What This Skill Detects High-Confidence Patterns Patterns with very low false positive rates: Type Pattern Example Provider AWS Access Key AKIA... (20 chars) AWS AWS Secret Key 40 char base64 AWS GitHub Token ghp_ , gho_ , ghu_ , ghs_ , ghr_ GitHub GitLab Token glpat-... GitLab Slack Token xoxb- , xoxp- , xoxa- Slack Stripe Key sk_live_ , rk_live_ Stripe Twilio SK... (34 chars) Twilio SendGrid SG. followed by base64 SendGrid Private Key -----BEGIN (RSA|EC|DSA)?PRIVATE KEY----- Various Google API Key AIza... (39 chars) Google Medium-Confidence Patterns May require context validation: Type Pattern Notes Generic API Key api[-]?key.=.['"][a-zA-Z0-9]{16,} Variable names Generic Secret secret.=.['"][^'"]+ Context needed Password password.=.['"][^'"]+ May be config Connection String ://[^:]+:[^@]+@ DB credentials Bearer Token Bearer [a-zA-Z0-9-]+ In headers/code High-Entropy Detection Finds potential secrets via entropy analysis: /secrets-scan --entropy Detects strings with high randomness that may be: Base64-encoded secrets Hex-encoded tokens Custom API key formats Detection Patterns Cloud Provider Keys
AWS
AKIA [ 0 - 9 A - Z ]
Access Key ID
[ A - Z a - z 0 - 9 /+= ]
Secret Access Key
( context needed )
Azure
[ a - z A - Z 0 - 9 +/= ]
Storage Account Key
GCP
AIza [ 0 - 9 A - Z a - z _- ]
API Key
[ 0 - 9 ] + - [ a - z 0 - 9 ] {32} . apps . googleusercontent . com # OAuth Client Version Control Tokens
GitHub
gh [ pousr ] _ [ A - Z a - z 0 - 9 ]
Personal/OAuth/User/Repo/App
github_pat_ [ A - Z a - z 0 - 9 ] {22} _ [ A - Z a - z 0 - 9 ]
Fine-grained PAT
GitLab
glpat- [ A - Z a - z 0 - 9 -_ ]
Personal Access Token
Bitbucket
[ a - z A - Z 0 - 9 ]
App Password
( context needed ) Payment & Finance
Stripe
sk_live_ [ a - z A - Z 0 - 9 ]
Secret Key
rk_live_ [ a - z A - Z 0 - 9 ]
Restricted Key
pk_live_ [ a - z A - Z 0 - 9 ]
Publishable Key
Square
sq0 [ a - z ] {3} - [ A - Z a - z 0 - 9 _- ]
Access Token
PayPal
access_token \$ [ a - z A - Z 0 - 9 -_. ] +
OAuth Token
Communication Services
Slack
xox [ bpas ] - [ 0 - 9 ] {10,} - [ a - z A - Z 0 - 9 ]
Bot/User/App Token
Twilio
SK [ a - f 0 - 9 ]
API Key SID
[ a - f 0 - 9 ]
Auth Token
( context )
SendGrid
SG . [ a - z A - Z 0 - 9 - ] {22} . [ a - z A - Z 0 - 9 - ]
API Key
Database Connection Strings
PostgreSQL/MySQL
( postgres | mysql | mariadb ) :// [ ^ : ] + : [ ^ @ ] + @ [ ^ / ] + / \w +
MongoDB
mongodb ( + srv ) ? :// [ ^ : ] + : [ ^ @ ] + @
Redis
redis://: [ ^ @ ] + @ Private Keys -----BEGIN ( RSA | EC | DSA | OPENSSH ) ? PRIVATE KEY----- -----BEGIN PGP PRIVATE KEY BLOCK----- JWT & Session eyJ [ A - Z a - z 0 - 9 - ] + . eyJ [ A - Z a - z 0 - 9 - ] + . [ A - Z a - z 0 - 9 _- ] +
JWT
Scan Options Basic Scan /secrets-scan Scans for high-confidence patterns only. With Entropy Analysis /secrets-scan --entropy Adds high-entropy string detection (more findings, some false positives). Specific Scope /secrets-scan --scope src/api/ /secrets-scan --scope ".ts" Git History Scan /secrets-scan --git-history /secrets-scan --git-history --since "2024-01-01" Scans commit history for secrets that were committed and later removed. Exclude Patterns /secrets-scan --exclude ".test.ts" --exclude "fixtures/" Output Format Finding Report SECRETS SCAN RESULTS ==================== High-Confidence Findings: 2 Medium-Confidence Findings: 5 Entropy Findings: 3 [!] CRITICAL: AWS Access Key File: src/config/aws.ts:15 Pattern: AKIAIOSFODNN7EXAMPLE Action: Rotate immediately, check CloudTrail [!] CRITICAL: GitHub Token File: .env.example:8 Pattern: ghp_xxxx...xxxx (redacted) Action: Revoke token, remove from history [H] HIGH: Database Password File: docker-compose.yml:23 Pattern: password: supersecret Action: Use environment variable [M] MEDIUM: Possible API Key File: src/services/api.ts:44 Pattern: apiKey = "a1b2c3..." Context: May be test value Summary Statistics Files scanned: 342 Patterns checked: 127 Time elapsed: 2.3s By Severity: Critical: 2 High: 5 Medium: 8 By Type: Cloud credentials: 2 API keys: 4 Passwords: 3 Private keys: 1 Other: 5 False Positive Handling Common False Positives Example/placeholder values AKIAIOSFODNN7EXAMPLE (AWS example) sk_test_... (Stripe test key) your-api-key-here Test fixtures Mock credentials in test files Fixture data Documentation README examples API documentation Ignore File Create .secrets-scan-ignore :
Ignore test fixtures
/fixtures/ /mocks/ .test.ts .spec.js
Ignore documentation
docs/* .md
Ignore specific false positives
src/constants.ts:EXAMPLE_KEY
Inline ignore comment
secrets-scan-ignore: test fixture
Inline Ignore // secrets-scan-ignore: example value const EXAMPLE_KEY = "AKIAIOSFODNN7EXAMPLE" ; Remediation Steps When Secrets Are Found Immediate Actions Rotate the credential immediately Check access logs for unauthorized use Remove from code/config Clean Git History
Remove secret from history
git filter-branch --force --index-filter \ 'git rm --cached --ignore-unmatch path/to/file' \ --prune-empty --tag-name-filter cat -- --all
Or use BFG Repo Cleaner
bfg --replace-text secrets.txt repo.git Prevent Future Commits Add pre-commit hooks Configure secret scanning in CI Prevention
Install pre-commit hook
npx husky add .husky/pre-commit "npx secrets-scan --staged" Integration CI/CD Pipeline
GitHub Actions
- name : Secrets Scan run : | /secrets-scan --fail-on-findings exit $?
Exit codes:
0 = No findings
1 = Findings detected
2 = Error during scan
Pre-Commit Hook
!/bin/sh
.husky/pre-commit
files
$( git diff --cached --name-only ) /secrets-scan --files " $files "