Loading...
Loading...
Detect exposed secrets, API keys, credentials, and tokens in code. Use before commits, on file saves, or when security is mentioned. Prevents accidental secret exposure. Triggers on file changes, git commits, security checks, .env file modifications.
npx skill4agent add ovachiever/droid-tings secret-scanner// You type:
const apiKey = 'sk_live_1234567890abcdef';
// I immediately alert:
🚨 CRITICAL: Exposed Stripe API key detected!
📍 File: config.js, Line 3
🔧 Fix: Use environment variables
const apiKey = process.env.STRIPE_API_KEY;
📖 Add to .gitignore: .env# You type:
aws_access_key = "AKIAIOSFODNN7EXAMPLE"
# I alert:
🚨 CRITICAL: AWS access key exposed!
📍 File: aws_config.py, Line 1
🔧 Fix: Use AWS credentials file or environment variables
aws_access_key = os.getenv("AWS_ACCESS_KEY_ID")
📖 Never commit AWS credentials# You type in docker-compose.yml:
environment:
DB_PASSWORD: "mySecretPassword123"
# I alert:
🚨 CRITICAL: Database password in configuration file!
📍 File: docker-compose.yml, Line 5
🔧 Fix: Use .env file
DB_PASSWORD: ${DB_PASSWORD}
📖 Add .env to .gitignore# Before commit, I scan:
git add .
git commit
# I block if secrets found:
🚨 CRITICAL: Cannot commit - secrets detected!
📍 3 secrets found:
- config.js:12 - API key
- .env:5 - Database password (in gitignore - OK)
- auth.js:45 - JWT secret
❌ Commit blocked - remove secrets first✅ .env - In .gitignore (good)
⚠️ config/secrets.json - NOT in .gitignore (add it!)
✅ .aws/credentials - In .gitignore (good)// I understand these are examples:
// Example: const apiKey = 'your_api_key_here';
// TODO: Add your API key from environment// Test fixtures are OK (but flagged for review):
const mockApiKey = 'sk_test_1234567890abcdef'; // ✅ Test key<!-- Documentation examples are flagged but low priority -->
Set your API key: `export API_KEY=your_key_here`secret-scanner: Finds hardcoded API key
security-auditor: Finds how the key is used insecurely
Combined: Complete security picture// Before:
const apiKey = 'sk_live_abc123';
// After:
const apiKey = process.env.API_KEY;
// .env file (add to .gitignore):
API_KEY=sk_live_abc123// AWS Secrets Manager
const AWS = require('aws-sdk');
const secrets = new AWS.SecretsManager();
const secret = await secrets.getSecretValue({ SecretId: 'myApiKey' }).promise();# docker-compose.yml
services:
app:
environment:
- API_KEY=${API_KEY} # From .env file
# .env (gitignored)
API_KEY=sk_live_abc123cp -r ~/.claude/skills/security/secret-scanner \
~/.claude/skills/security/company-secret-scanner
# Edit SKILL.md to add:
# - Internal API key formats
# - Company-specific secret patterns
# - Custom detection rulesgit filter-branch --force --index-filter \
"git rm --cached --ignore-unmatch config/secrets.json" \
--prune-empty --tag-name-filter cat -- --all