{"skill":{"slug":"secrets-audit","displayName":"Secrets Audit","summary":"Scan projects and codebases for exposed secrets, API keys, tokens, passwords, and sensitive credentials. Detects hardcoded secrets in source code, config fil...","description":"---\nname: secrets-audit\ndescription: Scan projects and codebases for exposed secrets, API keys, tokens, passwords, and sensitive credentials. Detects hardcoded secrets in source code, config files, environment files, and git history. Use when asked to audit a project for secrets, check for exposed credentials, scan for API keys, find hardcoded passwords, review security of a codebase, check for leaked tokens, audit .env files, or verify no secrets are committed. Triggers on \"secrets audit\", \"scan for secrets\", \"find exposed keys\", \"check for credentials\", \"security scan\", \"leaked secrets\", \"hardcoded passwords\", \"API key exposure\", \"credential check\".\n---\n\n# Secrets Audit\n\nScan any project directory for exposed secrets, hardcoded credentials, and sensitive data leaks. Produces a severity-ranked report with remediation steps.\n\n## Quick Start\n\n```bash\n# Full project scan\npython3 scripts/scan_secrets.py /path/to/project\n\n# Scan with git history check\npython3 scripts/scan_secrets.py /path/to/project --git-history\n\n# Scan specific file types only\npython3 scripts/scan_secrets.py /path/to/project --extensions .py,.js,.ts,.env,.yml,.json\n\n# JSON output for CI integration\npython3 scripts/scan_secrets.py /path/to/project --format json\n```\n\n## What Gets Detected\n\n### High Severity\n- API keys (AWS, GCP, Azure, OpenAI, Stripe, etc.)\n- Database connection strings with credentials\n- Private keys (RSA, SSH, PGP)\n- OAuth tokens and refresh tokens\n- JWT secrets and signing keys\n- Password fields with literal values\n\n### Medium Severity\n- `.env` files with populated secrets\n- Config files with credentials (database.yml, settings.py, etc.)\n- Hardcoded URLs with embedded auth (user:pass@host)\n- Webhook URLs with tokens\n- Generic high-entropy strings in assignment context\n\n### Low Severity\n- TODO/FIXME comments mentioning secrets\n- Placeholder credentials (admin/admin, test/test)\n- Example API keys in documentation\n- Commented-out credentials\n\n### Ignored (False Positive Reduction)\n- Lock files (package-lock.json, yarn.lock, etc.)\n- Binary files\n- Minified JS/CSS\n- Test fixtures clearly marked as fake\n- node_modules, .git, vendor directories\n\n## Scan Output\n\nThe scanner produces a structured report:\n\n```\n=== Secrets Audit Report ===\nProject: /path/to/project\nScanned: 247 files | Skipped: 1,203 files\nTime: 2.3s\n\n--- HIGH SEVERITY (3 findings) ---\n\n[H1] AWS Access Key ID\n  File: src/config/aws.js:14\n  Match: AKIA...EXAMPLE\n  Context: const accessKey = \"AKIA...\"\n  Fix: Move to environment variable AWS_ACCESS_KEY_ID\n\n[H2] Database Password\n  File: config/database.yml:8\n  Match: password: \"pr0duction_p@ss\"\n  Fix: Use DATABASE_URL env var or secrets manager\n\n--- MEDIUM SEVERITY (5 findings) ---\n...\n\n--- SUMMARY ---\nHigh: 3 | Medium: 5 | Low: 2 | Total: 10\nRecommendation: Rotate all HIGH severity credentials immediately\n```\n\n## Workflow\n\n### 1. Scan\n\nRun `scripts/scan_secrets.py` against the target directory. The script:\n- Recursively walks the directory tree\n- Skips binary files, lock files, and dependency directories\n- Applies 40+ regex patterns from `references/secret-patterns.md`\n- Calculates entropy for potential secrets\n- Deduplicates findings\n\n### 2. Review\n\nPresent findings grouped by severity. For each finding:\n- Show the file, line number, and surrounding context\n- Explain what type of secret was found\n- Assess whether it's a real secret or false positive\n\n### 3. Remediate\n\nFor each confirmed finding, provide specific remediation:\n- Which environment variable to use\n- How to add to `.gitignore`\n- Whether the secret needs rotation (if committed to git)\n- Example code showing the fix\n\n### 4. Verify\n\nAfter remediation:\n- Re-run the scan to confirm fixes\n- Check git history if secrets were ever committed\n- Recommend adding pre-commit hooks to prevent future leaks\n\n## Git History Scanning\n\nWhen `--git-history` flag is used, the script also checks:\n- Deleted files that contained secrets\n- Previous versions of files that had secrets removed\n- Commits with \"secret\", \"password\", \"key\" in messages\n\nImportant: if a secret was ever committed to git, it must be rotated even if later removed — it exists in git history.\n\n## CI Integration\n\nThe script returns exit codes for CI pipelines:\n- `0` — No findings\n- `1` — Low/medium findings only\n- `2` — High severity findings (should block deployment)\n\nJSON output (`--format json`) can be parsed by CI tools for automated reporting.\n\n## Pre-commit Hook Setup\n\nAfter an audit, recommend setting up a pre-commit hook. See `references/prevention-guide.md` for hook installation and configuration.\n","tags":{"latest":"1.0.1"},"stats":{"comments":0,"downloads":463,"installsAllTime":1,"installsCurrent":1,"stars":0,"versions":2},"createdAt":1775864677062,"updatedAt":1778492521505},"latestVersion":{"version":"1.0.1","createdAt":1777593772365,"changelog":"No changes detected in this version.\n\n- No file or documentation changes since the previous release.","license":"MIT-0"},"metadata":null,"owner":{"handle":"charlie-morrison","userId":"s17cttbdxry5kkyafjw983mq8s83p4y3","displayName":"charlie-morrison","image":"https://avatars.githubusercontent.com/u/271589886?v=4"},"moderation":null}