check-secrets
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesecheck-secrets
检查密钥泄露
Scan the codebase for potential secret leaks before commits.
在提交代码前扫描代码库中潜在的密钥泄露情况。
Trigger Examples
触发示例
- "Check for secrets"
- "Scan for leaks"
- "Security check"
- "Are there any hardcoded secrets?"
- "检查密钥"
- "扫描泄露"
- "安全检查"
- "是否存在硬编码的密钥?"
Execution Flow
执行流程
1. Define Detection Patterns
1. 定义检测模式
High-risk patterns:
- API keys:
['\"]?[A-Z0-9_]{20,}['\"]? - Bearer tokens:
Bearer\s+[A-Za-z0-9\-._~+/]+=* - Private keys:
-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY----- - OAuth secrets:
client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,} - GCP service account keys:
"type":\s*"service_account" - AWS credentials:
AKIA[0-9A-Z]{16}
Project-specific patterns:
- Hardcoded project IDs: (outside of variable assignments or docs)
koborin-ai - Email addresses:
@koborin\.ai
Safe patterns (excluded):
- Environment variable references: ,
process.env.,$\{TF_VAR_ - Placeholder values: ,
<PROJECT_ID>,YOUR_API_KEY,dummyexample - Test fixtures: files under ,
__tests__/,*.test.ts*.spec.ts
高风险模式:
- API keys:
['\"]?[A-Z0-9_]{20,}['\"]? - Bearer tokens:
Bearer\s+[A-Za-z0-9\-._~+/]+=* - Private keys:
-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY----- - OAuth secrets:
client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,} - GCP service account keys:
"type":\s*"service_account" - AWS credentials:
AKIA[0-9A-Z]{16}
项目特定模式:
- 硬编码项目ID: (变量赋值或文档以外的位置)
koborin-ai - 邮箱地址:
@koborin\.ai
安全模式(排除项):
- 环境变量引用: ,
process.env.,$\{TF_VAR_ - 占位符值: ,
<PROJECT_ID>,YOUR_API_KEY,dummyexample - 测试 fixtures: 目录下的文件、
__tests__/、*.test.ts*.spec.ts
2. Scan the Codebase
2. 扫描代码库
Use to get tracked files:
git ls-filesbash
git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \
grep -v -E '^(node_modules|\.next|dist|build|coverage)/'使用获取已追踪文件:
git ls-filesbash
git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \
grep -v -E '^(node_modules|\.next|dist|build|coverage)/'3. Filter False Positives
3. 过滤误报
Remove known safe occurrences:
- Lines containing or
process.env.TF_VAR_ - Template files (,
.env.example).env.template - Lines with placeholder patterns (,
<...>,YOUR_...)REPLACE_ME
移除已知的安全匹配项:
- 包含或
process.env.的行TF_VAR_ - 模板文件(,
.env.example).env.template - 包含占位符模式的行(,
<...>,YOUR_...)REPLACE_ME
4. Categorize Findings
4. 分类检测结果
Critical (immediate action required):
- Private keys, service account JSON
- Hardcoded passwords or tokens
- Real API keys with valid format
Warning (review recommended):
- Suspicious long strings that might be keys
- Hardcoded project IDs outside infrastructure code
Info (low risk):
- Company name in unexpected places
- Domain references in application code
严重(需立即处理):
- 私钥、服务账户JSON
- 硬编码密码或令牌
- 格式有效的真实API密钥
警告(建议复查):
- 疑似密钥的长字符串
- 基础设施代码外的硬编码项目ID
信息(低风险):
- 出现在意外位置的公司名称
- 应用代码中的域名引用
5. Display Results
5. 展示结果
CRITICAL: Potential private key detected
File: infra/shared/main.tf
Line: 42
Match: -----BEGIN PRIVATE KEY-----
WARNING: Hardcoded project ID
File: app/src/lib/api-client.ts
Line: 15
Match: const PROJECT = "koborin-ai"
Summary:
- Critical: 1 finding(s)
- Warning: 1 finding(s)
Review these findings before committing.CRITICAL: Potential private key detected
File: infra/shared/main.tf
Line: 42
Match: -----BEGIN PRIVATE KEY-----
WARNING: Hardcoded project ID
File: app/src/lib/api-client.ts
Line: 15
Match: const PROJECT = "koborin-ai"
Summary:
- Critical: 1 finding(s)
- Warning: 1 finding(s)
Review these findings before committing.Project-Specific Rules
项目特定规则
For :
koborin-ai- Allow in
koborin-aiandinfra/README.md - Flag it in unless from environment variable
app/src/ - Allow email addresses in documentation
- Flag GCP project IDs when hardcoded outside Pulumi config
针对项目:
koborin-ai- 允许在和
infra/中出现README.mdkoborin-ai - 若在中出现且非来自环境变量则标记为风险
app/src/ - 允许文档中出现邮箱地址
- 当GCP项目ID硬编码在Pulumi配置外时标记为风险
Notes
注意事项
- This is static analysis only; cannot detect runtime-loaded secrets
- Always review findings manually
- Run before every commit
- Never commit real secrets even if undetected
- 仅为静态分析;无法检测运行时加载的密钥
- 始终手动复查检测结果
- 每次提交前都要运行此扫描
- 即使未被检测到,也绝不要提交真实密钥