zhongwei/gh-dhofheinz-open-plugins-plugins-marketplace-validator-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b727790a9e70d7dcb1d5e6e4484f8abc0e83082c
gh-dhofheinz-open-plugins-p…/commands/security-scan/scan-secrets.md
Zhongwei Li b727790a9e Initial commit
2025-11-29 18:20:28 +08:00

4.9 KiB
Raw Blame History

Operation: Scan for Exposed Secrets

Detect exposed secrets, API keys, tokens, passwords, and private keys using 50+ pattern signatures.

Parameters from $ARGUMENTS

  • path: Target directory or file to scan (required)
  • recursive: Scan subdirectories (true|false, default: true)
  • patterns: Specific pattern categories to check (optional, default: all)
  • exclude: Patterns to exclude from scan (optional)
  • severity: Minimum severity to report (critical|high|medium|low, default: medium)

Secret Detection Patterns (50+)

API Keys & Tokens:

  • Stripe: sk_live_, sk_test_, pk_live_, pk_test_
  • OpenAI: sk-[a-zA-Z0-9]{32,}
  • AWS: AKIA[0-9A-Z]{16}
  • Google: AIza[0-9A-Za-z_-]{35}
  • GitHub: ghp_, gho_, ghs_, ghu_
  • Slack: xox[baprs]-[0-9a-zA-Z]{10,}
  • Twitter: [0-9a-zA-Z]{35,44}
  • Facebook: EAA[0-9A-Za-z]{90,}

Private Keys:

  • RSA: BEGIN RSA PRIVATE KEY
  • Generic: BEGIN PRIVATE KEY
  • SSH: BEGIN OPENSSH PRIVATE KEY
  • PGP: BEGIN PGP PRIVATE KEY
  • DSA: BEGIN DSA PRIVATE KEY
  • EC: BEGIN EC PRIVATE KEY

Credentials:

  • Passwords: password\s*[=:]\s*['"][^'"]+['"]
  • API keys: api[_-]?key\s*[=:]\s*['"][^'"]+['"]
  • Secrets: secret\s*[=:]\s*['"][^'"]+['"]
  • Tokens: token\s*[=:]\s*['"][^'"]+['"]
  • Auth: authorization\s*[=:]\s*['"]Bearer [^'"]+['"]

Cloud Provider Credentials:

  • AWS Access Key: aws_access_key_id
  • AWS Secret: aws_secret_access_key
  • Azure: [0-9a-zA-Z/+]{88}==
  • GCP Service Account: type.*service_account

Workflow

  1. Parse arguments

    Extract path, recursive, patterns, exclude, severity
Validate path exists
Determine scan scope (file vs directory)

  2. Execute secret scanner

    Execute .scripts/secret-scanner.sh "$path" "$recursive" "$patterns" "$exclude" "$severity"

Returns:
- 0: No secrets found
- 1: Secrets detected
- 2: Scan error

  3. Process results

    Parse scanner output
Categorize by severity:
  - CRITICAL: Private keys, production API keys
  - HIGH: API keys, tokens with broad scope
  - MEDIUM: Passwords, secrets in config
  - LOW: Test keys, development credentials

Generate remediation guidance per finding

  4. Format output

    Secrets Scan Results
━━━━━━━━━━━━━━━━━━━━
Path: <path>
Files Scanned: <count>

CRITICAL Issues (<count>):
❌ <file>:<line>: <type> detected
   Pattern: <pattern_name>
   Remediation: Remove and rotate immediately

HIGH Issues (<count>):
⚠️  <file>:<line>: <type> detected

Summary:
- Total secrets: <count>
- Unique patterns: <count>
- Action required: <yes|no>

Examples

# Scan current directory recursively
/security-scan secrets path:.

# Scan specific file only
/security-scan secrets path:./config/settings.json recursive:false

# Check only API key patterns
/security-scan secrets path:. patterns:"api-keys,tokens"

# Exclude test directories
/security-scan secrets path:. exclude:"test,mock,fixtures"

# Only critical severity
/security-scan secrets path:. severity:critical

Error Handling

Path not found:

ERROR: Path does not exist: <path>
Remediation: Verify path and try again

No patterns matched:

INFO: No secrets detected
All files clean

Scanner unavailable:

ERROR: Secret scanner script not found
Remediation: Verify plugin installation

Severity Levels

CRITICAL (Immediate action required):

  • Private keys (RSA, SSH, PGP)
  • Production API keys (live_, prod_)
  • AWS credentials
  • Database connection strings with passwords

HIGH (Action required):

  • API keys (generic)
  • OAuth tokens
  • Bearer tokens
  • Authentication credentials

MEDIUM (Should address):

  • Passwords in config files
  • Secret variables
  • Session tokens
  • Development credentials in non-test contexts

LOW (Review recommended):

  • Test API keys
  • Mock credentials
  • Example configurations

Remediation Guidance

For exposed secrets:

  1. Remove from code immediately
  2. Rotate/regenerate the credential
  3. Use environment variables instead
  4. Add to .gitignore if file-based
  5. Review git history for exposure
  6. Consider using secret management (AWS Secrets Manager, HashiCorp Vault)

Prevention:

  • Use .env files (never commit)
  • Use environment variables
  • Implement pre-commit hooks
  • Use secret scanning in CI/CD
  • Educate team on security practices

Output Format

{
  "scan_type": "secrets",
  "path": "<path>",
  "files_scanned": <count>,
  "secrets_found": <count>,
  "severity_breakdown": {
    "critical": <count>,
    "high": <count>,
    "medium": <count>,
    "low": <count>
  },
  "findings": [
    {
      "file": "<file_path>",
      "line": <line_number>,
      "type": "<secret_type>",
      "severity": "<severity>",
      "pattern": "<pattern_name>",
      "remediation": "<action>"
    }
  ],
  "action_required": <boolean>
}

Request: $ARGUMENTS

Reference in New Issue View Git Blame Copy Permalink