What does Secrets Scan look for?

It detects secrets and credentials using category patterns such as Passwords, API Keys, Tokens, AWS creds, DB URLs, and private keys.

How are findings prioritized?

Findings are merged and sorted by severity: CRITICAL, HIGH, MEDIUM, then LOW, so you can address the most sensitive issues first.

What happens if I run with --fix?

In fix mode, the tool enables interactive remediation guidance to remove secrets, rotate keys, or update configs before pushing changes.

brewcode:secrets-scan

Scanned

npx machina-cli add skill kochetkov-ma/claude-brewcode/secrets-scan --openclaw

Files (1)

SKILL.md

4.0 KB

Secrets Scan

Phase 1: Setup

EXECUTE using Bash tool:

git rev-parse --is-inside-work-tree 2>/dev/null || { echo "ERROR: Not git repo"; exit 1; }
REPO=$(git rev-parse --show-toplevel) && cd "$REPO"
TS=$(date +%Y%m%d-%H%M%S)
DIR="$REPO/.claude/reports/${TS}_secrets-scan" && mkdir -p "$DIR"
git ls-files > "$DIR/files.txt"
echo "DIR=$DIR|REPO=$REPO|TS=$TS|TOTAL=$(wc -l < "$DIR/files.txt" | tr -d ' ')"
cat "$DIR/files.txt"

STOP if ERROR — must run in git repository.

</phase> <phase name="2-parallel-scan">

Phase 2: Split & Launch 10 Agents

Parse file list → split into 10 chunks (ceil(total/10))
Send 10 Task calls in parallel (single message)

Config: Task(subagent_type="general-purpose", model="haiku", description="Agent N/10 scan")

<agent-prompt> Agent {N}/10 secrets scanner.

FILES: {FILES}

Read each file → detect secrets → return JSON.

PATTERNS:

Category	Match
Passwords	`password/passwd/secret/pwd` + `=` or `:`
API Keys	`api_key`, `access_key`, `apikey`, `api_secret`
Tokens	`token`, `bearer`, `auth_token`, `access_token`
AWS	`AKIA[0-9A-Z]{16}`, `aws_secret`, `aws_access_key`
DB URLs	`jdbc/mongodb/mysql/postgres` with credentials
Keys	`-----BEGIN.*PRIVATE KEY-----`, `client_secret`, `encryption_key`

CRITICALITY:

Level	Criteria
CRITICAL	Real credentials, private keys, DB connection strings
HIGH	Real API keys/tokens, AWS creds
MEDIUM	Suspicious hardcoded values
LOW	Placeholders: `changeme`, `YOUR_KEY`, `xxx`, `dummy`

SKIP: env refs (process.env.*, ${VAR}, os.getenv()), placeholders, docs/comments.

OUTPUT (JSON):

{"agent":{N},"scanned":["f1","f2"],"skipped":[{"path":"x","reason":"binary"}],"findings":[{"path":"f","line":1,"content":"pwd=x","desc":"Hardcoded pwd","crit":"HIGH"}]}

No findings: "findings":[] </agent-prompt>

</phase> <phase name="3-merge">

Phase 3: Merge Results

Collect 10 JSON responses
Parse each (handle errors gracefully)
Merge scanned[], skipped[], findings[]
Dedupe by path+line
Sort: CRITICAL → HIGH → MEDIUM → LOW

</phase> <phase name="4-report">

Phase 4: Generate Report

Write {DIR}/report.md:

<report-template> # Secrets Scan Report

Scan: {TS} | Repo: {REPO} | Files: {TOTAL} | Agents: 10

Summary

Metric	Count
Scanned	{N}
Skipped	{N}
CRITICAL	{N}
HIGH	{N}
MEDIUM	{N}
LOW	{N}

Findings

CRITICAL ({N})

#	File	Line	Content	Description
{ROWS}

HIGH / MEDIUM / LOW

(same table format)

Agent Stats

Agent	Assigned	Scanned	Findings
1-10	...	...	...
Total	{N}	{N}	{N}

File Inventory

Scanned ({N})

#	Path	Agent
{ALL}

Skipped ({N})

#	Path	Reason
{SKIP}

</report-template> </phase> <phase name="5-summary">

Phase 5: Display Summary

## Secrets Scan Complete

| Metric | Value |
|--------|-------|
| Files | {N} |
| CRITICAL | {N} |
| HIGH | {N} |
| MEDIUM | {N} |
| LOW | {N} |

Report: {DIR}/report.md

</phase> <phase name="6-fix">

Phase 6: Fix Mode

Trigger: --fix arg OR CRITICAL/HIGH findings exist → AskUserQuestion

Option	Action
Fix interactively	Review each: delete, move to env var, add to .gitignore, skip, mark false positive
Add to .gitignore	Append paths
Skip	Done

</phase>

Source

git clone https://github.com/kochetkov-ma/claude-brewcode/blob/main/brewcode/skills/secrets-scan/SKILL.mdView on GitHub

Overview

Secrets Scan inspects every git-tracked file in a repository to detect leaked credentials and sensitive data. It is designed for security audits and pre-release checks to prevent exposing keys, tokens, or private keys.

How This Skill Works

The tool must run inside a git repository. It lists all tracked files, then launches 10 parallel agents that scan contents against a set of secret patterns (passwords, API keys, tokens, AWS keys, DB URLs, and PEM keys). Results are returned as JSON, merged, deduplicated by path+line, and sorted from CRITICAL to LOW in a final report.

When to Use It

Before releasing code to ensure no secrets are exposed
During a security audit to uncover leaked credentials
When you suspect credentials were committed or added to the repo
To locate hardcoded API keys, tokens, or private keys
When validating code bases against compliance and best practices

Quick Start

Step 1: Run from the repo root to ensure you are inside a Git repository
Step 2: Run the scan with default options or add --fix for remediation
Step 3: Review the generated report (DIR/reports/…/report.md) and act on findings

Best Practices

Run in a clean git working tree and review the generated report
Validate findings before remediation to avoid false positives
Use the --fix mode for interactive remediation when needed
Deduplicate results by file path and line to prioritize fixes
Regularly re-scan after removing secrets and rotating credentials

Example Use Cases

AWS access keys found in a service configuration file and rotated
API keys exposed in source code triggering a security alert
Database URL with credentials spotted in a config file
PEM private key detected in repo and removed
Placeholders like YOUR_KEY flagged as low risk and reviewed

Frequently Asked Questions

Add this skill to your agents