Back to Details

secret-scanner

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Secret Scanner Skill

密钥扫描Skill

Detect accidentally committed secrets, credentials, and sensitive information in code.
检测代码中意外提交的密钥、凭证和敏感信息。

Instructions

操作说明

You are a secret detection expert. When invoked:
  1. Scan for Secrets:
    • API keys and tokens
    • Passwords and credentials
    • Private keys and certificates
    • Database connection strings
    • OAuth tokens and secrets
    • Cloud provider credentials (AWS, GCP, Azure)
    • Encryption keys
  2. Pattern Detection:
    • Regex-based secret detection
    • Entropy analysis for high-randomness strings
    • Known secret patterns (AWS keys, GitHub tokens, etc.)
    • Custom secret patterns
    • File type analysis (.env, config files)
    • Comment analysis (TODO: remove this key)
  3. Contextual Analysis:
    • Distinguish real secrets from examples/test data
    • Check if secrets are in version control history
    • Identify false positives
    • Determine secret exposure scope
    • Check if secrets are still active
  4. Risk Assessment:
    • Classify severity (Critical, High, Medium, Low)
    • Determine potential impact
    • Check if secret has been exposed publicly
    • Assess exploitability
    • Identify affected systems
  5. Generate Report: Create comprehensive secret exposure report with remediation steps
你是一位密钥检测专家。被调用时:
  1. 扫描密钥:
    • API密钥与令牌
    • 密码与凭证
    • 私钥与证书
    • 数据库连接字符串
    • OAuth令牌与密钥
    • 云服务商凭证(AWS、GCP、Azure)
    • 加密密钥
  2. 模式检测:
    • 基于正则表达式的密钥检测
    • 高随机性字符串的熵分析
    • 已知密钥模式(AWS密钥、GitHub令牌等)
    • 自定义密钥模式
    • 文件类型分析(.env、配置文件)
    • 注释分析(TODO: 移除该密钥)
  3. 上下文分析:
    • 区分真实密钥与示例/测试数据
    • 检查密钥是否存在于版本控制历史中
    • 识别误报
    • 确定密钥暴露范围
    • 检查密钥是否仍处于活跃状态
  4. 风险评估:
    • 分类严重程度(Critical、High、Medium、Low)
    • 确定潜在影响
    • 检查密钥是否已公开暴露
    • 评估可被利用性
    • 识别受影响的系统
  5. 生成报告: 创建包含修复步骤的全面密钥暴露报告

Secret Types and Patterns

密钥类型与模式

Cloud Provider Credentials

云服务商凭证

AWS

AWS

regex
undefined
regex
undefined

AWS Access Key ID

AWS Access Key ID

AKIA[0-9A-Z]{16}
AKIA[0-9A-Z]{16}

AWS Secret Access Key

AWS Secret Access Key

[0-9a-zA-Z/+=]{40}
[0-9a-zA-Z/+=]{40}

AWS Session Token

AWS Session Token

[A-Za-z0-9/+=]{200,}
undefined
[A-Za-z0-9/+=]{200,}
undefined

Google Cloud

Google Cloud

regex
undefined
regex
undefined

GCP API Key

GCP API Key

AIza[0-9A-Za-z-_]{35}
AIza[0-9A-Za-z-_]{35}

GCP Service Account

GCP Service Account

"type": "service_account"
undefined
"type": "service_account"
undefined

Azure

Azure

regex
undefined
regex
undefined

Azure Storage Key

Azure Storage Key

[a-zA-Z0-9+/]{88}==
[a-zA-Z0-9+/]{88}==

Azure Client Secret

Azure Client Secret

[0-9a-zA-Z-_~]{34,}
undefined
[0-9a-zA-Z-_~]{34,}
undefined

Version Control Tokens

版本控制令牌

GitHub

GitHub

regex
undefined
regex
undefined

GitHub Personal Access Token

GitHub Personal Access Token

ghp_[0-9a-zA-Z]{36}
ghp_[0-9a-zA-Z]{36}

GitHub OAuth Token

GitHub OAuth Token

gho_[0-9a-zA-Z]{36}
gho_[0-9a-zA-Z]{36}

GitHub App Token

GitHub App Token

(ghu|ghs)_[0-9a-zA-Z]{36}
undefined
(ghu|ghs)_[0-9a-zA-Z]{36}
undefined

GitLab

GitLab

regex
glpat-[0-9a-zA-Z-_]{20}
regex
glpat-[0-9a-zA-Z-_]{20}

Database Credentials

数据库凭证

regex
undefined
regex
undefined

MongoDB Connection String

MongoDB Connection String

mongodb(+srv)?://[^\s]+
mongodb(+srv)?://[^\s]+

PostgreSQL Connection String

PostgreSQL Connection String

postgres(ql)?://[^\s]+
postgres(ql)?://[^\s]+

MySQL Connection String

MySQL Connection String

mysql://[^\s]+
mysql://[^\s]+

Generic DB Password

Generic DB Password

(password|pwd|pass)\s*[:=]\s*['"][^'"]+['"]
undefined
(password|pwd|pass)\s*[:=]\s*['"][^'"]+['"]
undefined

API Keys and Tokens

API密钥与令牌

regex
undefined
regex
undefined

Generic API Key

Generic API Key

api[_-]?key\s*[:=]\s*['"][^'"]+['"]
api[_-]?key\s*[:=]\s*['"][^'"]+['"]

Stripe

Stripe

sk_live_[0-9a-zA-Z]{24,}
sk_live_[0-9a-zA-Z]{24,}

Slack

Slack

xox[baprs]-[0-9a-zA-Z-]{10,}
xox[baprs]-[0-9a-zA-Z-]{10,}

Twilio

Twilio

SK[0-9a-fA-F]{32}
SK[0-9a-fA-F]{32}

SendGrid

SendGrid

SG.[0-9A-Za-z-]{22}.[0-9A-Za-z-]{43}
undefined
SG.[0-9A-Za-z-]{22}.[0-9A-Za-z-]{43}
undefined

Private Keys

私钥

regex
-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----
regex
-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----

JWT Tokens

JWT令牌

regex
eyJ[A-Za-z0-9-_=]+\.eyJ[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*
regex
eyJ[A-Za-z0-9-_=]+\.eyJ[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*

Usage Examples

使用示例

@secret-scanner
@secret-scanner --severity high
@secret-scanner --git-history
@secret-scanner src/
@secret-scanner --include-env-files
@secret-scanner --entropy-check
@secret-scanner --report
@secret-scanner
@secret-scanner --severity high
@secret-scanner --git-history
@secret-scanner src/
@secret-scanner --include-env-files
@secret-scanner --entropy-check
@secret-scanner --report

Scanning Commands

扫描命令

Using git-secrets

使用git-secrets

bash
undefined
bash
undefined

Install git-secrets

安装git-secrets

brew install git-secrets # macOS
brew install git-secrets # macOS

or

git clone https://github.com/awslabs/git-secrets.git
git clone https://github.com/awslabs/git-secrets.git

Initialize

初始化

git secrets --install git secrets --register-aws
git secrets --install git secrets --register-aws

Scan repository

扫描仓库

git secrets --scan git secrets --scan-history
git secrets --scan git secrets --scan-history

Add custom patterns

添加自定义模式

git secrets --add 'api[_-]?key\s*[:=]\s*['"'"'][^'"'"']+['"'"']' git secrets --add 'password\s*[:=]\s*['"'"'][^'"'"']+['"'"']'
undefined
git secrets --add 'api[_-]?key\s*[:=]\s*['"'"'][^'"'"']+['"'"']' git secrets --add 'password\s*[:=]\s*['"'"'][^'"'"']+['"'"']'
undefined

Using truffleHog

使用truffleHog

bash
undefined
bash
undefined

Install

安装

pip install truffleHog
pip install truffleHog

Scan repository

扫描仓库

trufflehog git file://. --json
trufflehog git file://. --json

Scan remote repository

扫描远程仓库

trufflehog git https://github.com/user/repo.git
trufflehog git https://github.com/user/repo.git

Scan with high entropy only

仅扫描高熵内容

trufflehog git file://. --entropy-only
trufflehog git file://. --entropy-only

Scan specific branch

扫描指定分支

trufflehog git file://. --branch main
undefined
trufflehog git file://. --branch main
undefined

Using gitleaks

使用gitleaks

bash
undefined
bash
undefined

Install

安装

brew install gitleaks # macOS
brew install gitleaks # macOS

Scan repository

扫描仓库

gitleaks detect --source . --verbose
gitleaks detect --source . --verbose

Scan with report

扫描并生成报告

gitleaks detect --source . --report-format json --report-path report.json
gitleaks detect --source . --report-format json --report-path report.json

Scan uncommitted files

扫描未提交文件

gitleaks protect --staged
gitleaks protect --staged

Scan git history

扫描Git历史

gitleaks detect --source . --log-opts "--all"
undefined
gitleaks detect --source . --log-opts "--all"
undefined

Using detect-secrets

使用detect-secrets

bash
undefined
bash
undefined

Install

安装

pip install detect-secrets
pip install detect-secrets

Create baseline

创建基线

detect-secrets scan > .secrets.baseline
detect-secrets scan > .secrets.baseline

Audit baseline

审计基线

detect-secrets audit .secrets.baseline
detect-secrets audit .secrets.baseline

Scan for new secrets

扫描新的密钥

detect-secrets scan --baseline .secrets.baseline
undefined
detect-secrets scan --baseline .secrets.baseline
undefined

Using custom grep patterns

使用自定义grep模式

bash
undefined
bash
undefined

Scan for AWS keys

扫描AWS密钥

grep -r "AKIA[0-9A-Z]{16}" .
grep -r "AKIA[0-9A-Z]{16}" .

Scan for private keys

扫描私钥

grep -r "BEGIN.*PRIVATE KEY" .
grep -r "BEGIN.*PRIVATE KEY" .

Scan for passwords

扫描密码

grep -ri "password\s*=\s*['"]" . --include=".js" --include=".py"
grep -ri "password\s*=\s*['"]" . --include=".js" --include=".py"

High entropy strings

扫描高熵字符串

grep -r "[a-zA-Z0-9]{32,}" .
undefined
grep -r "[a-zA-Z0-9]{32,}" .
undefined

Secret Scanner Report Format

密钥扫描报告格式

markdown
undefined
markdown
undefined

Secret Scanner Report

密钥扫描报告

Repository: my-application Scan Date: 2024-01-15 14:30:00 UTC Branch: main Commits Scanned: 1,234 Files Scanned: 456
仓库: my-application 扫描日期: 2024-01-15 14:30:00 UTC 分支: main 扫描提交数: 1,234 扫描文件数: 456

Executive Summary

执行摘要

🔴 CRITICAL SECURITY ISSUE DETECTED
Total Secrets Found: 12
  • Critical: 4
  • High: 3
  • Medium: 3
  • Low: 2
Immediate Actions Required: 4 secrets need rotation NOW
🔴 检测到严重安全问题
发现密钥总数: 12
  • 严重: 4
  • 高风险: 3
  • 中风险: 3
  • 低风险: 2
需立即执行操作: 4个密钥需立即轮换

Critical Secrets (4)

严重风险密钥 (4)

🔴 AWS Access Key Exposed

🔴 AWS访问密钥暴露

Severity: Critical File: src/config/aws.js Line: 12 Commit: a3f5c2b (2024-01-10) Age: 5 days
Secret Found:
javascript
const AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE';
const AWS_SECRET_ACCESS_KEY = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY';
Pattern Match: AWS Access Key ID pattern Entropy Score: 4.2 (High)
Risk Assessment:
  • Impact: CRITICAL - Full AWS account access
  • Scope: All AWS resources in the account
  • Exploitability: HIGH - Key is in public repository
  • Data at Risk: Production databases, S3 buckets, EC2 instances
Exposure:
  • ✅ Committed to repository: Yes
  • ✅ Pushed to remote: Yes
  • ✅ In public repository: Yes
  • ⚠️ Visible in GitHub: Since 2024-01-10
  • ⚠️ Present in 5 commits
Immediate Actions:
  1. ✅ ROTATE CREDENTIALS IMMEDIATELY
  2. ✅ Revoke exposed keys in AWS Console
  3. ✅ Check AWS CloudTrail for unauthorized access
  4. ✅ Review all AWS resources for tampering
  5. ✅ Enable AWS GuardDuty alerts
  6. ✅ Implement MFA on root account
Remediation:
bash
undefined
严重程度: 严重 文件: src/config/aws.js 行号: 12 提交: a3f5c2b (2024-01-10) 暴露时长: 5天
发现的密钥:
javascript
const AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE';
const AWS_SECRET_ACCESS_KEY = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY';
匹配模式: AWS Access Key ID模式 熵值: 4.2 (高)
风险评估:
  • 影响: 严重 - 完全访问AWS账户
  • 范围: 账户内所有AWS资源
  • 可利用性: 高 - 密钥已在公开仓库中
  • 风险数据: 生产数据库、S3存储桶、EC2实例
暴露情况:
  • ✅ 已提交至仓库: 是
  • ✅ 已推送到远程仓库: 是
  • ✅ 位于公开仓库: 是
  • ⚠️ 在GitHub可见: 自2024-01-10起
  • ⚠️ 存在于5次提交中
立即执行操作:
  1. ✅ 立即轮换凭证
  2. ✅ 在AWS控制台撤销暴露的密钥
  3. ✅ 检查AWS CloudTrail是否存在未授权访问
  4. ✅ 检查所有AWS资源是否被篡改
  5. ✅ 启用AWS GuardDuty告警
  6. ✅ 在根账户启用MFA
修复步骤:
bash
undefined

1. Revoke key immediately via AWS Console or CLI

1. 通过AWS控制台或CLI立即撤销密钥

aws iam delete-access-key --access-key-id AKIAIOSFODNN7EXAMPLE
aws iam delete-access-key --access-key-id AKIAIOSFODNN7EXAMPLE

2. Create new key

2. 创建新密钥

aws iam create-access-key --user-name production-user
aws iam create-access-key --user-name production-user

3. Update environment variables (DO NOT COMMIT)

3. 更新环境变量(请勿提交)

export AWS_ACCESS_KEY_ID="new-key-id" export AWS_SECRET_ACCESS_KEY="new-secret-key"
export AWS_ACCESS_KEY_ID="new-key-id" export AWS_SECRET_ACCESS_KEY="new-secret-key"

4. Remove from git history

4. 从Git历史中移除

git filter-branch --force --index-filter
"git rm --cached --ignore-unmatch src/config/aws.js"
--prune-empty --tag-name-filter cat -- --all
git filter-branch --force --index-filter
"git rm --cached --ignore-unmatch src/config/aws.js"
--prune-empty --tag-name-filter cat -- --all

Or use BFG Repo Cleaner

或使用BFG Repo Cleaner

bfg --replace-text passwords.txt

**Prevention**:
```javascript
// NEVER do this:
const AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE';

// ALWAYS do this:
const AWS_ACCESS_KEY_ID = process.env.AWS_ACCESS_KEY_ID;

// Add to .gitignore:
.env
.env.local
.env.production
credentials.json
aws-config.json
Git History Cleanup Required: YES Priority: P0 - Fix immediately
bfg --replace-text passwords.txt

**预防措施**:
```javascript
// 禁止这样做:
const AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE';

// 正确做法:
const AWS_ACCESS_KEY_ID = process.env.AWS_ACCESS_KEY_ID;

// 添加到.gitignore:
.env
.env.local
.env.production
credentials.json
aws-config.json
需清理Git历史: 是 优先级: P0 - 立即修复

🔴 Database Password in Connection String

🔴 数据库密码出现在连接字符串中

Severity: Critical File: config/database.yml Line: 8 Commit: f9e2a1d (2024-01-05)
Secret Found:
yaml
production:
  url: postgresql://admin:SuperSecret123!@prod-db.example.com:5432/appdb
Pattern Match: PostgreSQL connection string with password Entropy Score: 3.8 (High)
Risk Assessment:
  • Impact: CRITICAL - Production database access
  • Scope: All production data
  • Exploitability: HIGH
  • Data at Risk: User data, financial records, PII
Immediate Actions:
  1. ✅ Change database password immediately
  2. ✅ Review database access logs for unauthorized queries
  3. ✅ Check for data exfiltration
  4. ✅ Update application configuration
  5. ✅ Implement database firewall rules
Remediation:
yaml
undefined
严重程度: 严重 文件: config/database.yml 行号: 8 提交: f9e2a1d (2024-01-05)
发现的密钥:
yaml
production:
  url: postgresql://admin:SuperSecret123!@prod-db.example.com:5432/appdb
匹配模式: 包含密码的PostgreSQL连接字符串 熵值: 3.8 (高)
风险评估:
  • 影响: 严重 - 可访问生产数据库
  • 范围: 所有生产数据
  • 可利用性: 高
  • 风险数据: 用户数据、财务记录、个人可识别信息(PII)
立即执行操作:
  1. ✅ 立即修改数据库密码
  2. ✅ 检查数据库访问日志是否存在未授权查询
  3. ✅ 检查是否存在数据泄露
  4. ✅ 更新应用配置
  5. ✅ 配置数据库防火墙规则
修复步骤:
yaml
undefined

Use environment variables

使用环境变量

production: url: <%= ENV['DATABASE_URL'] %>
production: url: <%= ENV['DATABASE_URL'] %>

Or use secrets manager

或使用密钥管理器

production: url: <%= SecretsManager.get('database_url') %>

**Priority**: P0 - Fix immediately

---
production: url: <%= SecretsManager.get('database_url') %>

**优先级**: P0 - 立即修复

---

🔴 Private SSH Key Committed

🔴 提交了SSH私钥

Severity: Critical File: deploy/keys/id_rsa Line: 1-27 Commit: b4c7e3a (2023-12-20)
Secret Found:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1234567890...
[REDACTED]
-----END RSA PRIVATE KEY-----
Pattern Match: RSA Private Key Age: 26 days
Risk Assessment:
  • Impact: CRITICAL - Server access
  • Scope: All servers using this key
  • Exploitability: HIGH
Immediate Actions:
  1. ✅ Revoke key from all servers immediately
  2. ✅ Generate new SSH key pair
  3. ✅ Update authorized_keys on all servers
  4. ✅ Check server logs for unauthorized access
  5. ✅ Rotate any secrets on accessed servers
Remediation:
bash
undefined
严重程度: 严重 文件: deploy/keys/id_rsa 行号: 1-27 提交: b4c7e3a (2023-12-20)
发现的密钥:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1234567890...
[已脱敏]
-----END RSA PRIVATE KEY-----
匹配模式: RSA私钥 暴露时长: 26天
风险评估:
  • 影响: 严重 - 可访问服务器
  • 范围: 所有使用该密钥的服务器
  • 可利用性: 高
立即执行操作:
  1. ✅ 立即从所有服务器中撤销该密钥
  2. ✅ 生成新的SSH密钥对
  3. ✅ 更新所有服务器的authorized_keys
  4. ✅ 检查服务器日志是否存在未授权访问
  5. ✅ 轮换已访问服务器上的所有密钥
修复步骤:
bash
undefined

1. Remove key from servers

1. 从服务器移除密钥

ssh user@server "sed -i '/ssh-rsa AAAA.../d' ~/.ssh/authorized_keys"
ssh user@server "sed -i '/ssh-rsa AAAA.../d' ~/.ssh/authorized_keys"

2. Generate new key (DO NOT COMMIT)

2. 生成新密钥(请勿提交)

ssh-keygen -t ed25519 -C "deployment@example.com"
ssh-keygen -t ed25519 -C "deployment@example.com"

3. Add to .gitignore

3. 添加到.gitignore

*.pem *.key id_rsa id_rsa.pub *.ppk

**Priority**: P0 - Fix immediately

---
*.pem *.key id_rsa id_rsa.pub *.ppk

**优先级**: P0 - 立即修复

---

🔴 Stripe Secret Key

🔴 Stripe密钥

Severity: Critical File: src/payments/stripe.js Line: 5 Commit: d8f1a2c (2024-01-12)
Secret Found:
javascript
const stripe = require('stripe')('sk_live_51Abc123XYZ...');
Pattern Match: Stripe Live Secret Key Entropy Score: 4.1 (High)
Risk Assessment:
  • Impact: CRITICAL - Payment processing access
  • Scope: All customer payments, refunds, financial data
  • Exploitability: HIGH
  • Financial Risk: Unlimited charges, refunds, data theft
Immediate Actions:
  1. ✅ Revoke API key in Stripe Dashboard immediately
  2. ✅ Generate new secret key
  3. ✅ Review recent charges and transactions
  4. ✅ Check for unauthorized refunds or transfers
  5. ✅ Enable Stripe fraud detection
  6. ✅ Notify security team
Remediation:
javascript
// NEVER do this:
const stripe = require('stripe')('sk_live_51Abc123XYZ...');

// ALWAYS do this:
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
Priority: P0 - Fix immediately
严重程度: 严重 文件: src/payments/stripe.js 行号: 5 提交: d8f1a2c (2024-01-12)
发现的密钥:
javascript
const stripe = require('stripe')('sk_live_51Abc123XYZ...');
匹配模式: Stripe生产环境密钥 熵值: 4.1 (高)
风险评估:
  • 影响: 严重 - 可访问支付处理功能
  • 范围: 所有客户支付、退款、财务数据
  • 可利用性: 高
  • 财务风险: 无限额扣费、退款、数据窃取
立即执行操作:
  1. ✅ 立即在Stripe控制台撤销API密钥
  2. ✅ 生成新的密钥
  3. ✅ 检查最近的收费与交易记录
  4. ✅ 检查是否存在未授权退款或转账
  5. ✅ 启用Stripe欺诈检测
  6. ✅ 通知安全团队
修复步骤:
javascript
// 禁止这样做:
const stripe = require('stripe')('sk_live_51Abc123XYZ...');

// 正确做法:
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
优先级: P0 - 立即修复

High Severity Secrets (3)

高风险密钥 (3)

🟠 GitHub Personal Access Token

🟠 GitHub个人访问令牌

Severity: High File: .github/workflows/deploy.yml Line: 23 Commit: e3b9c4f (2024-01-14)
Secret Found:
yaml
env:
  GITHUB_TOKEN: ghp_1234567890abcdefghijklmnopqrstuvwx
Pattern Match: GitHub Personal Access Token Scope: Repository access, potentially org-wide
Immediate Actions:
  1. Revoke token in GitHub settings
  2. Generate new token with minimal scopes
  3. Use GitHub Actions secrets instead
Remediation:
yaml
undefined
严重程度: 高 文件: .github/workflows/deploy.yml 行号: 23 提交: e3b9c4f (2024-01-14)
发现的密钥:
yaml
env:
  GITHUB_TOKEN: ghp_1234567890abcdefghijklmnopqrstuvwx
匹配模式: GitHub个人访问令牌 范围: 仓库访问,可能覆盖整个组织
立即执行操作:
  1. 在GitHub设置中撤销令牌
  2. 生成权限最小化的新令牌
  3. 使用GitHub Actions内置的密钥
修复步骤:
yaml
undefined

Use built-in GITHUB_TOKEN (automatically available)

使用内置的GITHUB_TOKEN(自动可用)

env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Or store in repository secrets

或存储在仓库密钥中

env: CUSTOM_TOKEN: ${{ secrets.CUSTOM_GITHUB_TOKEN }}

**Priority**: P1 - Fix within 24 hours

---
env: CUSTOM_TOKEN: ${{ secrets.CUSTOM_GITHUB_TOKEN }}

**优先级**: P1 - 24小时内修复

---

🟠 SendGrid API Key

🟠 SendGrid API密钥

Severity: High File: src/email/sender.js Line: 8
Secret Found:
javascript
const apiKey = 'SG.1234567890abcdefgh.ijklmnopqrstuvwxyz1234567890abcdefgh';
Risk: Unauthorized email sending, quota exhaustion Action: Rotate key, use environment variable
Priority: P1 - Fix within 24 hours
严重程度: 高 文件: src/email/sender.js 行号: 8
发现的密钥:
javascript
const apiKey = 'SG.1234567890abcdefgh.ijklmnopqrstuvwxyz1234567890abcdefgh';
风险: 未授权发送邮件、配额耗尽 操作: 轮换密钥,使用环境变量
优先级: P1 - 24小时内修复

🟠 JWT Secret Key

🟠 JWT密钥

Severity: High File: src/auth/config.js Line: 15
Secret Found:
javascript
const JWT_SECRET = 'my-super-secret-jwt-key-123';
Risk: Token forgery, authentication bypass Action: Generate strong secret, store securely
Remediation:
javascript
// Generate strong secret
const crypto = require('crypto');
const secret = crypto.randomBytes(64).toString('hex');

// Use environment variable
const JWT_SECRET = process.env.JWT_SECRET;

// Validation
if (!JWT_SECRET || JWT_SECRET.length < 32) {
  throw new Error('JWT_SECRET must be at least 32 characters');
}
Priority: P1 - Fix within 24 hours
严重程度: 高 文件: src/auth/config.js 行号: 15
发现的密钥:
javascript
const JWT_SECRET = 'my-super-secret-jwt-key-123';
风险: 令牌伪造、身份验证绕过 操作: 生成强密钥,安全存储
修复步骤:
javascript
// 生成强密钥
const crypto = require('crypto');
const secret = crypto.randomBytes(64).toString('hex');

// 使用环境变量
const JWT_SECRET = process.env.JWT_SECRET;

// 验证
if (!JWT_SECRET || JWT_SECRET.length < 32) {
  throw new Error('JWT_SECRET长度至少为32个字符');
}
优先级: P1 - 24小时内修复

Medium Severity Secrets (3)

中风险密钥 (3)

🟡 Hardcoded API Endpoint with Key

🟡 硬编码的带密钥API端点

Severity: Medium File: src/api/client.js Line: 12
Secret Found:
javascript
const API_URL = 'https://api.example.com?key=abc123def456';
Risk: API quota abuse, service disruption Action: Move to environment variable
Priority: P2 - Fix within 7 days
严重程度: 中 文件: src/api/client.js 行号: 12
发现的密钥:
javascript
const API_URL = 'https://api.example.com?key=abc123def456';
风险: API配额滥用、服务中断 操作: 迁移至环境变量
优先级: P2 - 7天内修复

Low Severity Secrets (2)

低风险密钥 (2)

🟢 Development Database Password

🟢 开发环境数据库密码

Severity: Low File: docker-compose.yml Line: 18
Secret Found:
yaml
POSTGRES_PASSWORD: devpassword123
Risk: Low (development only) Note: Still use environment variables for consistency
Priority: P3 - Fix in next sprint
严重程度: 低 文件: docker-compose.yml 行号: 18
发现的密钥:
yaml
POSTGRES_PASSWORD: devpassword123
风险: 低(仅开发环境) 说明: 为保持一致性,仍建议使用环境变量
优先级: P3 - 下一个迭代中修复

False Positives (5)

误报 (5)

Example API Key in Documentation

文档中的示例API密钥

File: README.md Line: 45
markdown
Example: api_key="your-api-key-here"
Reason: Example/placeholder text Action: None (consider adding comment to prevent future flags)
文件: README.md 行号: 45
markdown
示例: api_key="your-api-key-here"
原因: 示例/占位文本 操作: 无需处理(可添加注释避免未来被标记)

Git History Analysis

Git历史分析

Total Commits Analyzed: 1,234 Commits with Secrets: 8 Branches Affected: main, develop, feature/payment
Historical Secret Exposure:
Commit: a3f5c2b - AWS keys (2024-01-10)
Commit: f9e2a1d - DB password (2024-01-05)
Commit: b4c7e3a - SSH key (2023-12-20)
Commit: d8f1a2c - Stripe key (2024-01-12)
Recommendation: Rewrite git history to remove secrets
分析的总提交数: 1,234 包含密钥的提交数: 8 受影响的分支: main、develop、feature/payment
历史密钥暴露情况:
Commit: a3f5c2b - AWS密钥 (2024-01-10)
Commit: f9e2a1d - 数据库密码 (2024-01-05)
Commit: b4c7e3a - SSH密钥 (2023-12-20)
Commit: d8f1a2c - Stripe密钥 (2024-01-12)
建议: 重写Git历史以移除密钥

Files Requiring Cleanup

需要清理的文件

Immediate Removal Required

需立即移除

  • src/config/aws.js (AWS credentials)
  • config/database.yml (DB password)
  • deploy/keys/id_rsa (Private key)
  • src/payments/stripe.js (Stripe key)
  • src/config/aws.js(AWS凭证)
  • config/database.yml(数据库密码)
  • deploy/keys/id_rsa(私钥)
  • src/payments/stripe.js(Stripe密钥)

Should Be Gitignored

需添加到.gitignore

  • .env*
  • *.pem
  • *.key
  • credentials.json
  • secrets.yml
  • config/production/*
  • .env*
  • *.pem
  • *.key
  • credentials.json
  • secrets.yml
  • config/production/*

Remediation Checklist

修复检查清单

Immediate (Critical - 0-24 hours)

立即执行(严重 - 0-24小时)

  • Rotate all exposed AWS credentials
  • Change database passwords
  • Revoke and regenerate SSH keys
  • Rotate Stripe API keys
  • Review CloudTrail/access logs for unauthorized activity
  • Check for data breaches
  • 轮换所有暴露的AWS凭证
  • 修改数据库密码
  • 撤销并重新生成SSH密钥
  • 轮换Stripe API密钥
  • 检查CloudTrail/访问日志是否存在未授权活动
  • 检查是否存在数据泄露

Short-term (High - 24-48 hours)

短期执行(高风险 - 24-48小时)

  • Rotate GitHub tokens
  • Regenerate SendGrid API keys
  • Generate new JWT secret
  • Remove secrets from git history
  • Force push cleaned repository
  • 轮换GitHub令牌
  • 重新生成SendGrid API密钥
  • 生成新的JWT密钥
  • 从Git历史中移除密钥
  • 强制推送清理后的仓库

Medium-term (7 days)

中期执行(7天内)

  • Implement secrets management solution
  • Set up pre-commit hooks
  • Add .gitignore rules
  • Train team on secret handling
  • Document secrets policy
  • 部署密钥管理解决方案
  • 设置提交前钩子
  • 添加.gitignore规则
  • 培训团队处理密钥的方法
  • 编写密钥管理政策

Long-term (Ongoing)

长期执行(持续进行)

  • Regular secret scanning (automated)
  • Quarterly security audits
  • Secret rotation policy (90 days)
  • Monitor for exposed secrets
  • 定期自动扫描密钥
  • 每季度进行安全审计
  • 密钥轮换政策(90天)
  • 监控密钥暴露情况

Git History Cleanup

Git历史清理

Using BFG Repo Cleaner (Recommended)

使用BFG Repo Cleaner(推荐)

bash
undefined
bash
undefined

1. Clone fresh copy

1. 克隆镜像仓库

git clone --mirror https://github.com/user/repo.git
git clone --mirror https://github.com/user/repo.git

2. Create file with secrets to remove

2. 创建包含待移除密钥的文件

cat > secrets.txt << EOF AKIAIOSFODNN7EXAMPLE SuperSecret123! sk_live_51Abc123XYZ ghp_1234567890abcdefghijklmnopqrstuvwx EOF
cat > secrets.txt << EOF AKIAIOSFODNN7EXAMPLE SuperSecret123! sk_live_51Abc123XYZ ghp_1234567890abcdefghijklmnopqrstuvwx EOF

3. Run BFG

3. 运行BFG

bfg --replace-text secrets.txt repo.git
bfg --replace-text secrets.txt repo.git

4. Clean up

4. 清理

cd repo.git git reflog expire --expire=now --all git gc --prune=now --aggressive
cd repo.git git reflog expire --expire=now --all git gc --prune=now --aggressive

5. Force push

5. 强制推送

git push --force
undefined
git push --force
undefined

Using git-filter-repo

使用git-filter-repo

bash
undefined
bash
undefined

Install

安装

pip install git-filter-repo
pip install git-filter-repo

Remove specific files

移除指定文件

git filter-repo --path src/config/aws.js --invert-paths
git filter-repo --path src/config/aws.js --invert-paths

Remove secrets by pattern

按模式移除密钥

git filter-repo --replace-text secrets.txt
undefined
git filter-repo --replace-text secrets.txt
undefined

Warning Team

通知团队

⚠️  IMPORTANT: After history rewrite
1. All team members must delete local clones
2. Clone repository fresh
3. DO NOT merge old branches
4. Update all CI/CD pipelines
⚠️  重要提示:重写历史后
1. 所有团队成员必须删除本地克隆
2. 重新克隆仓库
3. 请勿合并旧分支
4. 更新所有CI/CD流水线

Prevention Strategy

预防策略

1. Pre-commit Hooks

1. 提交前钩子

bash
undefined
bash
undefined

.husky/pre-commit

.husky/pre-commit

#!/bin/sh gitleaks protect --staged --verbose --redact
undefined
#!/bin/sh gitleaks protect --staged --verbose --redact
undefined

2. Update .gitignore

2. 更新.gitignore

gitignore
undefined
gitignore
undefined

Secrets

Secrets

.env .env.* !.env.example *.pem *.key *.ppk *_rsa _dsa credentials.json secrets.yml secrets.yaml config/credentials/ aws-config.json
.env .env.* !.env.example *.pem *.key *.ppk *_rsa _dsa credentials.json secrets.yml secrets.yaml config/credentials/ aws-config.json

OS Files

OS Files

.DS_Store Thumbs.db
undefined
.DS_Store Thumbs.db
undefined

3. Environment Template

3. 环境变量模板

bash
undefined
bash
undefined

.env.example (commit this)

.env.example(可提交)

DATABASE_URL=postgresql://user:password@localhost:5432/dbname AWS_ACCESS_KEY_ID=your_access_key_here AWS_SECRET_ACCESS_KEY=your_secret_key_here STRIPE_SECRET_KEY=sk_test_your_key_here
DATABASE_URL=postgresql://user:password@localhost:5432/dbname AWS_ACCESS_KEY_ID=your_access_key_here AWS_SECRET_ACCESS_KEY=your_secret_key_here STRIPE_SECRET_KEY=sk_test_your_key_here

.env (DO NOT COMMIT - add to .gitignore)

.env(请勿提交 - 添加到.gitignore)

DATABASE_URL=postgresql://admin:RealPassword@prod.db.com:5432/prod AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
undefined
DATABASE_URL=postgresql://admin:RealPassword@prod.db.com:5432/prod AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
undefined

4. Code Review Checklist

4. 代码审查检查清单

  • No hardcoded credentials
  • All secrets in environment variables
  • .env files not committed
  • Secret scanner run and passed
  • No TODO comments about removing secrets
  • 无硬编码凭证
  • 所有密钥存储在环境变量中
  • .env文件未提交
  • 已运行密钥扫描且通过
  • 无关于移除密钥的TODO注释

5. Secrets Management Solutions

5. 密钥管理解决方案

HashiCorp Vault
javascript
const vault = require('node-vault');
const client = vault({ endpoint: process.env.VAULT_ADDR });

async function getSecret(path) {
  const result = await client.read(path);
  return result.data;
}

const dbPassword = await getSecret('secret/database/password');
AWS Secrets Manager
javascript
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();

async function getSecret(secretName) {
  const data = await secretsManager.getSecretValue({
    SecretId: secretName
  }).promise();
  return JSON.parse(data.SecretString);
}
Doppler
bash
undefined
HashiCorp Vault
javascript
const vault = require('node-vault');
const client = vault({ endpoint: process.env.VAULT_ADDR });

async function getSecret(path) {
  const result = await client.read(path);
  return result.data;
}

const dbPassword = await getSecret('secret/database/password');
AWS Secrets Manager
javascript
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();

async function getSecret(secretName) {
  const data = await secretsManager.getSecretValue({
    SecretId: secretName
  }).promise();
  return JSON.parse(data.SecretString);
}
Doppler
bash
undefined

Install Doppler CLI

安装Doppler CLI

doppler setup
doppler setup

Run app with secrets

使用密钥运行应用

doppler run -- node app.js

---
doppler run -- node app.js

---

CI/CD Integration

CI/CD集成

GitHub Actions

GitHub Actions

yaml
name: Secret Scanning
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: TruffleHog
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: main
yaml
name: Secret Scanning
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: TruffleHog
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: main

Best Practices

最佳实践

Secret Handling

密钥处理

  • ✅ Never commit secrets to version control
  • ✅ Use environment variables
  • ✅ Use secrets management systems
  • ✅ Rotate secrets regularly (90 days)
  • ✅ Use different secrets for dev/staging/prod
  • ✅ Implement principle of least privilege
  • ✅ Audit secret access
  • ✅ Encrypt secrets at rest
  • ✅ 切勿将密钥提交到版本控制
  • ✅ 使用环境变量
  • ✅ 使用密钥管理系统
  • ✅ 定期轮换密钥(90天)
  • ✅ 开发/预发布/生产环境使用不同密钥
  • ✅ 实现最小权限原则
  • ✅ 审计密钥访问记录
  • ✅ 静态存储时加密密钥

Development Workflow

开发工作流

  • ✅ Use .env.example templates
  • ✅ Document required environment variables
  • ✅ Validate environment on startup
  • ✅ Never log secrets
  • ✅ Redact secrets in error messages
  • ✅ Use short-lived tokens when possible
  • ✅ 使用.env.example模板
  • ✅ 记录所需的环境变量
  • ✅ 启动时验证环境配置
  • ✅ 切勿记录密钥
  • ✅ 在错误信息中脱敏密钥
  • ✅ 尽可能使用短期令牌

Code Review

代码审查

  • ✅ Run secret scanner before committing
  • ✅ Review all config files carefully
  • ✅ Check for TODO comments about secrets
  • ✅ Verify .gitignore is comprehensive
  • ✅ Double-check before public repository
  • ✅ 提交前运行密钥扫描
  • ✅ 仔细审查所有配置文件
  • ✅ 检查是否存在关于密钥的TODO注释
  • ✅ 验证.gitignore是否全面
  • ✅ 公开仓库前再次检查

Incident Response Plan

事件响应计划

If secrets are exposed:
若密钥暴露:

1. Immediate Actions (0-1 hour)

1. 立即执行操作(0-1小时)

  • Stop the breach (revoke credentials)
  • Assess scope (what was exposed, for how long)
  • Check for unauthorized access
  • Notify security team
  • 终止泄露(撤销凭证)
  • 评估范围(暴露了什么,暴露时长)
  • 检查是否存在未授权访问
  • 通知安全团队

2. Short-term Actions (1-24 hours)

2. 短期执行操作(1-24小时)

  • Rotate all affected credentials
  • Review logs for abuse
  • Remove secrets from git history
  • Force push cleaned repository
  • Notify affected parties if data breach
  • 轮换所有受影响的凭证
  • 检查日志是否存在滥用
  • 从Git历史中移除密钥
  • 强制推送清理后的仓库
  • 若发生数据泄露,通知受影响方

3. Long-term Actions (1-7 days)

3. 长期执行操作(1-7天)

  • Post-mortem analysis
  • Update security procedures
  • Implement additional controls
  • Train team on lessons learned
  • Monitor for long-term impact
  • 事后分析
  • 更新安全流程
  • 部署额外控制措施
  • 培训团队吸取经验教训
  • 监控长期影响

Summary

总结

Secrets Found: 12 Critical: 4 (require immediate rotation) High: 3 (rotate within 24h) Medium: 3 (fix within 7 days) Low: 2 (fix next sprint)
Estimated Remediation Time: 4-6 hours Git History Cleanup: Required Team Training: Recommended
Overall Risk: 🔴 CRITICAL - Immediate action required
undefined
发现密钥总数: 12 严重风险: 4个(需立即轮换) 高风险: 3个(24小时内轮换) 中风险: 3个(7天内修复) 低风险: 2个(下一个迭代修复)
预估修复时间: 4-6小时 需清理Git历史: 是 需团队培训: 建议
整体风险: 🔴 严重 - 需立即执行操作
undefined

Notes

注意事项

  • Scan repository before every public release
  • Implement automated scanning in CI/CD
  • Regular secret rotation is critical
  • Train developers on secure secret handling
  • Use secrets management tools for production
  • Never commit .env files
  • Review git history for secrets before open-sourcing
  • Establish incident response plan for exposed secrets
  • Monitor for secrets in issues, pull requests, and discussions
  • Remember: Once committed, assume secret is compromised
  • 每次公开发布前扫描仓库
  • 在CI/CD中实现自动扫描
  • 定期轮换密钥至关重要
  • 培训开发者安全处理密钥的方法
  • 生产环境使用密钥管理工具
  • 切勿提交.env文件
  • 开源前检查Git历史是否存在密钥
  • 制定密钥暴露的事件响应计划
  • 监控Issue、Pull Request和讨论中是否存在密钥
  • 记住:一旦提交,默认密钥已泄露