Back to Details

secret-leak-detector

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Secret Leak Detector

密钥泄露检测器

Purpose and Intent

用途与目标

The 
secret-leak-detector
is designed to safeguard repositories by identifying hardcoded sensitive information such as API keys, database credentials, and authentication tokens before they are committed or after they have been accidentally pushed to history.
secret-leak-detector
旨在通过识别硬编码的敏感信息(如API密钥、数据库凭证和身份验证令牌),在它们被提交或意外推送到历史记录之前保护仓库安全。

When to Use

适用场景

  • Pre-commit Checks: Run this skill before committing changes to ensure no secrets are being introduced.
  • CI/CD Pipelines: Integrate into automated pipelines to block builds that contain plain-text secrets.
  • Legacy Audits: Use with 
    scan_history: true
    to perform a deep audit of a project's entire history to find secrets that were deleted but still exist in git logs.
  • 提交前检查:在提交更改前运行该工具,确保没有引入密钥信息。
  • CI/CD流水线:集成到自动化流水线中,阻止包含明文密钥的构建。
  • 遗留系统审计:设置
    scan_history: true
    ,对项目的完整历史进行深度审计,查找已删除但仍存在于Git日志中的密钥。

When NOT to Use

不适用场景

  • Production Logs: This tool is for source code and config files; it is not optimized for scanning terabytes of runtime logs.
  • Binary Files: It will not effectively detect secrets inside compiled binaries or encrypted blobs.
  • 生产日志:该工具适用于源代码和配置文件;不适合扫描TB级别的运行时日志。
  • 二进制文件:无法有效检测编译后的二进制文件或加密Blob中的密钥。

Input and Output Examples

输入输出示例

Input

输入

yaml
directory_path: "./config"
scan_history: false
yaml
directory_path: "./config"
scan_history: false

Output

输出

json
{
  "leaks": [
    {
      "file": "config/production.yaml",
      "line": 45,
      "type": "Stripe Secret Key",
      "risk_level": "critical",
      "snippet": "sk_live_**********"
    }
  ]
}
json
{
  "leaks": [
    {
      "file": "config/production.yaml",
      "line": 45,
      "type": "Stripe Secret Key",
      "risk_level": "critical",
      "snippet": "sk_live_**********"
    }
  ]
}

Error Conditions and Edge Cases

错误情况与边缘案例

  • False Positives: High-entropy strings in test data or encrypted hashes may be flagged as secrets.
  • Git Repository Required: If 
    scan_history
    is true, the target directory must be a valid git repository.
  • Permission Denied: The skill will fail if it lacks read permissions for specific files or the 
    .git
    directory.
  • 误报:测试数据中的高熵字符串或加密哈希可能被标记为密钥。
  • 需要Git仓库:如果
    scan_history
    设为true,目标目录必须是有效的Git仓库。
  • 权限不足:如果该工具缺少对特定文件或
    .git
    目录的读取权限,将运行失败。

Security and Data-Handling Considerations

安全与数据处理注意事项

  • No Persistence: This skill does not store the secrets it finds.
  • Masking: Output snippets are masked to prevent the tool itself from becoming a source of leaks in logs or terminal history.
  • Local Execution: The skill runs locally and does not phone home or upload code to third-party services.
  • 无持久化存储:该工具不会存储它发现的密钥。
  • 掩码处理:输出片段会被掩码处理,防止工具自身成为日志或终端历史中的泄露源。
  • 本地执行:该工具在本地运行,不会向外部发送数据或上传代码到第三方服务。