{"skill":{"slug":"nirwan-secret-scanner","displayName":"Secret Scanner","summary":"Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret p...","description":"---\r\nname: secret-scanner\r\ndescription: Scans files, repos, and directories for leaked secrets — API keys, tokens, passwords, connection strings, private keys, and credentials. Detects 40+ secret patterns across all major cloud providers and services.\r\nversion: 0.1.0\r\n---\r\n\r\n# Secret Scanner\r\n\r\nSecurity skill that scans code, config files, and repos for accidentally leaked secrets and credentials.\r\n\r\n## When to Use This Skill\r\n\r\nUse this skill when the user:\r\n\r\n- Asks to \"check for leaked secrets\" or \"scan for API keys\"\r\n- Wants to audit a repo or folder before committing or publishing\r\n- Says \"are there any hardcoded passwords in this code?\"\r\n- Asks to \"find credentials\" or \"check for exposed tokens\"\r\n- Wants pre-commit or pre-publish security checks\r\n- Mentions concern about accidentally checking in secrets\r\n\r\n## Capabilities\r\n\r\n- Detect **40+ secret patterns** including:\r\n  - AWS Access Keys, Secret Keys, Session Tokens\r\n  - Azure Storage Keys, Connection Strings, SAS Tokens\r\n  - GCP Service Account Keys, API Keys\r\n  - GitHub / GitLab / Bitbucket Personal Access Tokens\r\n  - OpenAI, Anthropic, Hugging Face API Keys\r\n  - Slack Bot Tokens, Webhooks\r\n  - Stripe, Twilio, SendGrid Keys\r\n  - Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)\r\n  - SSH Private Keys, PEM/PFX Certificates\r\n  - JWT Tokens, Bearer Tokens\r\n  - Generic passwords in config files (password=, secret=, token=)\r\n- Scan individual files, directories, or entire repos recursively\r\n- Ignore binary files, node_modules, .git, and other non-relevant paths\r\n- Output results as Markdown report or JSON\r\n- Provide severity ratings (Critical, High, Medium, Low)\r\n- Suggest remediation for each finding\r\n\r\n## How to Scan\r\n\r\n### Scan a directory\r\n```bash\r\npython secret_scanner.py /path/to/project\r\n```\r\n\r\n### Scan with JSON output\r\n```bash\r\npython secret_scanner.py /path/to/project --json\r\n```\r\n\r\n### Scan and save report\r\n```bash\r\npython secret_scanner.py /path/to/project --output report.md\r\n```\r\n\r\n### Within an Agent\r\n```\r\n\"Scan this project for leaked secrets\"\r\n\"Check if there are any API keys in the codebase\"\r\n\"Run secret-scanner on the current directory\"\r\n\"Find hardcoded passwords in my config files\"\r\n\"Audit this repo before I push to GitHub\"\r\n```\r\n\r\n## Secret Patterns Detected\r\n\r\n### Cloud Provider Keys\r\n| Provider | Secrets Detected |\r\n|----------|-----------------|\r\n| **AWS** | Access Key ID (`AKIA...`), Secret Access Key, Session Token |\r\n| **Azure** | Storage Account Key, Connection String, SAS Token, Client Secret |\r\n| **GCP** | API Key (`AIza...`), Service Account JSON, OAuth Client Secret |\r\n\r\n### AI / LLM Keys\r\n| Service | Pattern |\r\n|---------|---------|\r\n| **OpenAI** | `sk-` prefixed API keys |\r\n| **Anthropic** | `sk-ant-` prefixed keys |\r\n| **Hugging Face** | `hf_` prefixed tokens |\r\n| **Cohere** | API keys in config |\r\n\r\n### Developer Platforms\r\n| Platform | Secrets Detected |\r\n|----------|-----------------|\r\n| **GitHub** | `ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_` tokens |\r\n| **GitLab** | `glpat-` tokens |\r\n| **Slack** | `xoxb-`, `xoxp-`, `xoxs-` tokens, webhook URLs |\r\n| **Stripe** | `sk_live_`, `sk_test_`, `rk_live_` keys |\r\n| **Twilio** | Account SID, Auth Token |\r\n| **SendGrid** | `SG.` prefixed API keys |\r\n\r\n### Databases & Infrastructure\r\n| Type | Pattern |\r\n|------|---------|\r\n| **MongoDB** | `mongodb://` or `mongodb+srv://` with credentials |\r\n| **PostgreSQL** | `postgresql://` with embedded password |\r\n| **MySQL** | `mysql://` with embedded password |\r\n| **Redis** | `redis://` with password |\r\n| **SSH** | `-----BEGIN (RSA\\|EC\\|OPENSSH) PRIVATE KEY-----` |\r\n| **Certificates** | PEM, PFX, P12 with embedded keys |\r\n\r\n### Generic Patterns\r\n| Pattern | Description |\r\n|---------|-------------|\r\n| **password=** | Hardcoded passwords in config/env files |\r\n| **secret=** | Hardcoded secrets |\r\n| **token=** | Hardcoded tokens |\r\n| **Bearer** | Bearer tokens in code |\r\n| **Basic Auth** | Base64-encoded basic auth headers |\r\n| **JWT** | `eyJ` prefixed JWT tokens |\r\n| **High Entropy** | Long random strings that look like secrets |\r\n\r\n## Severity Levels\r\n\r\n| Severity | Description | Examples |\r\n|----------|-------------|----------|\r\n| 🔴 **Critical** | Active production credentials | AWS Secret Key, Private Keys, DB passwords |\r\n| 🟠 **High** | Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key |\r\n| 🟡 **Medium** | Keys that may be test/dev | Test API keys, example tokens |\r\n| 🟢 **Low** | Potential false positives | Generic password= in comments, placeholder values |\r\n\r\n## Files Scanned\r\n\r\nScans these file types by default:\r\n- Source code: `.py`, `.js`, `.ts`, `.java`, `.go`, `.rb`, `.php`, `.cs`, `.rs`\r\n- Config: `.json`, `.yaml`, `.yml`, `.toml`, `.ini`, `.cfg`, `.conf`\r\n- Environment: `.env`, `.env.local`, `.env.production`\r\n- Shell: `.sh`, `.bash`, `.zsh`, `.ps1`\r\n- Docs: `.md`, `.txt`\r\n- Other: `Dockerfile`, `docker-compose.yml`, `Makefile`\r\n\r\n## Ignored Paths\r\n\r\nAutomatically skips:\r\n- `node_modules/`, `vendor/`, `venv/`, `.venv/`\r\n- `.git/`, `.svn/`\r\n- `__pycache__/`, `.pytest_cache/`\r\n- Binary files, images, compiled outputs\r\n- `package-lock.json`, `yarn.lock`\r\n\r\n## Remediation Guidance\r\n\r\nWhen secrets are found, the skill recommends:\r\n1. **Rotate the secret immediately** — assume it's compromised\r\n2. **Remove from code** — use environment variables or a secrets manager instead\r\n3. **Add to .gitignore** — prevent `.env` and credential files from being committed\r\n4. **Use git-filter-repo** — to remove secrets from git history\r\n5. **Enable pre-commit hooks** — to catch secrets before they're committed\r\n\r\n## Requirements\r\n- Python 3.7+\r\n- No additional dependencies (uses Python standard library)\r\n\r\n## Entry Point\r\n- **CLI:** `secret_scanner.py`\r\n\r\n## Tags\r\n#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops\r\n","tags":{"latest":"0.1.0"},"stats":{"comments":0,"downloads":264,"installsAllTime":10,"installsCurrent":0,"stars":0,"versions":1},"createdAt":1771449256109,"updatedAt":1778491578254},"latestVersion":{"version":"0.1.0","createdAt":1771449256109,"changelog":"Initial release - detects 36+ secret patterns across AWS, Azure, GCP, GitHub, OpenAI, and more.","license":null},"metadata":null,"owner":{"handle":"nirwandogra","userId":"s1750p57tk1c1nnpxpwjkxhr0x8847dr","displayName":"nirwan dogra","image":"https://avatars.githubusercontent.com/u/4733368?v=4"},"moderation":null}