Secret Leak Detector

Purpose and Intent

secret-leak-detector

When to Use

• Pre-commit Checks: Run this skill before committing changes to ensure no secrets are being introduced.
• CI/CD Pipelines: Integrate into automated pipelines to block builds that contain plain-text secrets.
• Legacy Audits: Use with

  scan_history: true

  to perform a deep audit of a project's entire history to find secrets that were deleted but still exist in git logs.

When NOT to Use

• Production Logs: This tool is for source code and config files; it is not optimized for scanning terabytes of runtime logs.
• Binary Files: It will not effectively detect secrets inside compiled binaries or encrypted blobs.

Input and Output Examples

Input

directory_path: "./config"
scan_history: false

Output

{
  "leaks": [
    {
      "file": "config/production.yaml",
      "line": 45,
      "type": "Stripe Secret Key",
      "risk_level": "critical",
      "snippet": "sk_live_**********"
    }
  ]
}

Error Conditions and Edge Cases

• False Positives: High-entropy strings in test data or encrypted hashes may be flagged as secrets.
• Git Repository Required: If

  scan_history

  is true, the target directory must be a valid git repository.
• Permission Denied: The skill will fail if it lacks read permissions for specific files or the

  .git

  directory.

Security and Data-Handling Considerations

• No Persistence: This skill does not store the secrets it finds.
• Masking: Output snippets are masked to prevent the tool itself from becoming a source of leaks in logs or terminal history.
• Local Execution: The skill runs locally and does not phone home or upload code to third-party services.