ln-761-secret-scanner
Scannednpx machina-cli add skill levnikolaevich/claude-code-skills/ln-761-secret-scanner --openclawPaths: File paths (
shared/,references/,../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root.
Secret Scanner
Scans codebase for hardcoded secrets and credentials, returning structured findings for remediation.
Purpose & Scope
- Detect hardcoded secrets using available tools (gitleaks, trufflehog) or manual patterns
- Classify findings by severity (Critical/High/Medium/Low)
- Filter false positives via baseline and allowlists
- Provide remediation guidance per finding type
- Return normalized report to parent orchestrator (ln-760)
When to Use
- During project bootstrap (via ln-760-security-setup)
- Pre-commit hook validation
- CI/CD security pipeline
- Manual security audit
Workflow
Phase 1: Tool Detection
Step 1: Check Available Scanners
- Check if gitleaks is installed (preferred)
- Check if trufflehog is installed (alternative)
- If neither available: use manual pattern matching as fallback
Step 2: Load Configuration
- Load project
.gitleaks.tomlif exists (custom rules) - Load
.gitleaksbaselineif exists (known false positives) - If no config: use default patterns from
references/detection_patterns.md
Phase 2: Scan Execution
Step 1: Run Available Scanner
- Execute scanner against project root
- Capture output in structured format (JSON/SARIF preferred)
- If tool unavailable: run manual grep patterns for high-confidence secrets
Step 2: Parse Results
- Normalize output to common format: file, line, pattern, raw_match
- Preserve original severity if provided by tool
Phase 3: Report Generation
Step 1: Severity Classification
- Map findings to severity levels per
references/detection_patterns.md - Critical: AWS keys, private keys, JWT secrets
- High: Generic passwords, connection strings
- Medium: API keys (may be test data)
- Low: Potential secrets requiring manual review
Step 2: False Positive Filtering
- Apply baseline exclusions
- Apply allowlist patterns (placeholders, test data, docs)
- Mark filtered items as "excluded" with reason
Step 3: Build Report
- Group findings by severity
- Include file path, line number, pattern matched
- Do NOT include actual secret values in report
Phase 4: Remediation Guidance
Step 1: Attach Remediation Actions
- For each finding, attach remediation steps from
references/remediation_guide.md - For Critical findings: emphasize immediate rotation requirement
Step 2: Return Results
- Return structured findings list to orchestrator
- Include summary: total scanned, total found, by severity
Critical Rules
- Never log actual secret values - redact in all outputs
- Treat any found secret as compromised - rotation required for Critical
- Preserve baseline - do not remove existing baseline entries
- Pre-commit priority - recommend pre-commit hook if not configured
- Git history awareness - warn if secret may exist in history (requires git-filter-repo)
Definition of Done
- Scan completed using available tool or manual patterns
- Findings classified by severity
- False positives filtered via baseline/allowlist
- Remediation guidance attached to each finding
- Report returned in normalized format (no raw secret values)
- Critical findings flagged with rotation requirement
Reference Files
| File | Purpose |
|---|---|
references/detection_patterns.md | Secret patterns by confidence level |
references/gitleaks_config_template.toml | Template for project gitleaks config |
references/remediation_guide.md | Rotation procedures by secret type |
Version: 2.0.0 Last Updated: 2026-01-10
Source
git clone https://github.com/levnikolaevich/claude-code-skills/blob/master/ln-761-secret-scanner/SKILL.mdView on GitHub Overview
Secret Scanner scans codebases for hardcoded secrets and credentials using gitleaks, trufflehog, or manual patterns. It returns a normalized, structured report with severity levels and remediation guidance, and supports pre-commit hook integration. Baselines and allowlists help filter false positives.
How This Skill Works
The workflow detects available scanners, loads project config (.gitleaks.toml, .gitleaksbaseline or defaults), runs scans, and normalizes results into a common format (file, line, pattern, raw_match). It classifies findings by severity (Critical/High/Medium/Low), attaches remediation guidance from the remediation guide, and redacts secret values before reporting.
When to Use It
- During project bootstrap (ln-760-security-setup)
- Pre-commit hook validation
- CI/CD security pipeline
- Manual security audit
- Code review during pull requests
Quick Start
- Step 1: Ensure scanners (gitleaks/trufflehog) are installed and config files exist (.gitleaks.toml, .gitleaksbaseline)
- Step 2: Run the scanner or enable the pre-commit hook to produce a normalized findings report
- Step 3: Review findings, apply remediation guidance, and rotate any Critical secrets
Best Practices
- Enable a project gitleaks/trufflehog config and use default patterns as a baseline
- Maintain a .gitleaksbaseline and allowlists to reduce noise
- Run the scanner as a pre-commit hook and in CI
- Review false positives and rotate any Critical findings
- Attach remediation steps to each finding and redact secret values in reports
Example Use Cases
- New project bootstrap runs Secret Scanner to catch any secrets before first commit
- Pre-commit hook flags a hardcoded AWS key in a config file and blocks the commit
- CI pipeline reports a database connection string containing credentials for remediation
- A known test secret is excluded via baseline to reduce false positives
- A found API key is escalated with documented remediation steps from the guide
