n
Credential Scanner
Verified@nirwandogra
npx machina-cli add skill @nirwandogra/credential-scanner --openclawFiles (1)
SKILL.md
5.8 KB
Secret Scanner
Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials.
When to Use This Skill
Use this skill when the user:
- Asks to "check for leaked secrets" or "scan for API keys"
- Wants to audit a repo or folder before committing or publishing
- Says "are there any hardcoded passwords in this code?"
- Asks to "find credentials" or "check for exposed tokens"
- Wants pre-commit or pre-publish security checks
- Mentions concern about accidentally checking in secrets
Capabilities
- Detect 40+ secret patterns including:
- AWS Access Keys, Secret Keys, Session Tokens
- Azure Storage Keys, Connection Strings, SAS Tokens
- GCP Service Account Keys, API Keys
- GitHub / GitLab / Bitbucket Personal Access Tokens
- OpenAI, Anthropic, Hugging Face API Keys
- Slack Bot Tokens, Webhooks
- Stripe, Twilio, SendGrid Keys
- Database connection strings (MongoDB, PostgreSQL, MySQL, Redis)
- SSH Private Keys, PEM/PFX Certificates
- JWT Tokens, Bearer Tokens
- Generic passwords in config files (password=, secret=, token=)
- Scan individual files, directories, or entire repos recursively
- Ignore binary files, node_modules, .git, and other non-relevant paths
- Output results as Markdown report or JSON
- Provide severity ratings (Critical, High, Medium, Low)
- Suggest remediation for each finding
How to Scan
Scan a directory
python secret_scanner.py /path/to/project
Scan with JSON output
python secret_scanner.py /path/to/project --json
Scan and save report
python secret_scanner.py /path/to/project --output report.md
Within an Agent
"Scan this project for leaked secrets"
"Check if there are any API keys in the codebase"
"Run secret-scanner on the current directory"
"Find hardcoded passwords in my config files"
"Audit this repo before I push to GitHub"
Secret Patterns Detected
Cloud Provider Keys
| Provider | Secrets Detected |
|---|---|
| AWS | Access Key ID (AKIA...), Secret Access Key, Session Token |
| Azure | Storage Account Key, Connection String, SAS Token, Client Secret |
| GCP | API Key (AIza...), Service Account JSON, OAuth Client Secret |
AI / LLM Keys
| Service | Pattern |
|---|---|
| OpenAI | sk- prefixed API keys |
| Anthropic | sk-ant- prefixed keys |
| Hugging Face | hf_ prefixed tokens |
| Cohere | API keys in config |
Developer Platforms
| Platform | Secrets Detected |
|---|---|
| GitHub | ghp_, gho_, ghu_, ghs_, ghr_ tokens |
| GitLab | glpat- tokens |
| Slack | xoxb-, xoxp-, xoxs- tokens, webhook URLs |
| Stripe | sk_live_, sk_test_, rk_live_ keys |
| Twilio | Account SID, Auth Token |
| SendGrid | SG. prefixed API keys |
Databases & Infrastructure
| Type | Pattern |
|---|---|
| MongoDB | mongodb:// or mongodb+srv:// with credentials |
| PostgreSQL | postgresql:// with embedded password |
| MySQL | mysql:// with embedded password |
| Redis | redis:// with password |
| SSH | -----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY----- |
| Certificates | PEM, PFX, P12 with embedded keys |
Generic Patterns
| Pattern | Description |
|---|---|
| password= | Hardcoded passwords in config/env files |
| secret= | Hardcoded secrets |
| token= | Hardcoded tokens |
| Bearer | Bearer tokens in code |
| Basic Auth | Base64-encoded basic auth headers |
| JWT | eyJ prefixed JWT tokens |
| High Entropy | Long random strings that look like secrets |
Severity Levels
| Severity | Description | Examples |
|---|---|---|
| π΄ Critical | Active production credentials | AWS Secret Key, Private Keys, DB passwords |
| π High | Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key |
| π‘ Medium | Keys that may be test/dev | Test API keys, example tokens |
| π’ Low | Potential false positives | Generic password= in comments, placeholder values |
Files Scanned
Scans these file types by default:
- Source code:
.py,.js,.ts,.java,.go,.rb,.php,.cs,.rs - Config:
.json,.yaml,.yml,.toml,.ini,.cfg,.conf - Environment:
.env,.env.local,.env.production - Shell:
.sh,.bash,.zsh,.ps1 - Docs:
.md,.txt - Other:
Dockerfile,docker-compose.yml,Makefile
Ignored Paths
Automatically skips:
node_modules/,vendor/,venv/,.venv/.git/,.svn/__pycache__/,.pytest_cache/- Binary files, images, compiled outputs
package-lock.json,yarn.lock
Remediation Guidance
When secrets are found, the skill recommends:
- Rotate the secret immediately β assume it's compromised
- Remove from code β use environment variables or a secrets manager instead
- Add to .gitignore β prevent
.envand credential files from being committed - Use git-filter-repo β to remove secrets from git history
- Enable pre-commit hooks β to catch secrets before they're committed
Requirements
- Python 3.7+
- No additional dependencies (uses Python standard library)
Entry Point
- CLI:
secret_scanner.py
Tags
#security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops
Overview
Secret Scanner analyzes code, config files, and repos to detect leaked credentials such as API keys, tokens, passwords, and private keys. It detects 40+ secret patterns across major cloud providers and services, helping teams prevent exposure and security incidents. It can output findings as Markdown reports or JSON and provides remediation guidance for each finding.
How This Skill Works
Secret Scanner traverses the target path recursively (files, directories, or repos), ignoring binaries, node_modules, .git, and other non-relevant paths. It uses regex-based detection to identify 40+ secret patternsβfrom cloud keys to API tokens and database connection stringsβand assigns severity to each finding. Results can be emitted as Markdown or JSON, and remediation suggestions accompany each finding.
When to Use It
- Ask to check for leaked secrets or scan for API keys.
- Audit a repo or folder before committing or publishing.
- Ask if there are hardcoded passwords in the code.
- Need to check for exposed tokens or credentials.
- Require pre-commit or pre-publish security checks.
Quick Start
- Step 1: python secret_scanner.py /path/to/project
- Step 2: python secret_scanner.py /path/to/project --json
- Step 3: Review findings and rotate any exposed credentials; optionally save a report with --output report.md
Best Practices
- Run the scanner before commits or releases to catch secrets early.
- Exclude binaries and non-relevant paths (e.g., node_modules, .git) to reduce noise.
- Use JSON output in CI to integrate with pipelines and alert on severe findings.
- Rotate or revoke any detected credentials and audit the history of the project.
- Integrate with pre-commit hooks or CI workflows and remediate findings per result.
Example Use Cases
- Discovering an AWS Access Key ID and Secret Key accidentally committed in a Git repository.
- Scanning a monorepo to locate OpenAI API keys in configuration files.
- Finding Slack bot tokens and webhooks in a legacy project before publishing.
- Detecting database connection strings with embedded passwords in config files.
- Running a pre-publish scan to surface GitHub tokens in a pull request.
Frequently Asked Questions
Add this skill to your agents
