commit e5f4b433ec58adef1465782f5fb4077e64c8a209 Author: Zhongwei Li Date: Sun Nov 30 08:22:25 2025 +0800 Initial commit diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..8ba4c48 --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,15 @@ +{ + "name": "secret-scanner", + "description": "Scan codebase for exposed secrets, API keys, passwords, and sensitive credentials", + "version": "1.0.0", + "author": { + "name": "Jeremy Longshore", + "email": "[email protected]" + }, + "skills": [ + "./skills" + ], + "commands": [ + "./commands" + ] +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..347f798 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# secret-scanner + +Scan codebase for exposed secrets, API keys, passwords, and sensitive credentials diff --git a/commands/scan-secrets.md b/commands/scan-secrets.md new file mode 100644 index 0000000..e3d3b63 --- /dev/null +++ b/commands/scan-secrets.md @@ -0,0 +1,64 @@ +--- +description: Scan for exposed secrets and credentials in codebase +shortcut: secrets +--- + +# Secret Scanner + +Scan codebase for exposed secrets, API keys, passwords, tokens, and sensitive credentials that should not be committed to version control. + +## Detection Methods + +1. **Pattern Matching** + - API keys (AWS, Google, Azure, Stripe, etc.) + - Private keys (RSA, SSH, PGP) + - Database credentials + - OAuth tokens + - JWT tokens + - Passwords in configuration files + +2. **Entropy Analysis** + - High-entropy strings (base64, hex) + - Random-looking strings that may be secrets + - Cryptographic keys + +3. **Common Mistakes** + - Hardcoded credentials in source code + - Credentials in commit history + - Secrets in configuration files + - Environment variables committed to repo + - Backup files containing secrets + +4. **File Type Analysis** + - .env files + - Configuration files + - Shell scripts + - Docker files + - CI/CD configuration + +## Report Output + +Generate detailed secret exposure report with: +- Location of each secret (file, line number) +- Type of secret detected +- Severity level (Critical, High, Medium) +- Remediation steps +- Git history scan results + +## Immediate Actions + +For exposed secrets: +1. **Rotate immediately** - Revoke and regenerate +2. **Remove from git history** - Use git-filter-branch or BFG +3. **Update .gitignore** - Prevent future commits +4. **Use secret management** - HashiCorp Vault, AWS Secrets Manager +5. **Enable pre-commit hooks** - Prevent secret commits + +## Best Practices + +- Never commit secrets to version control +- Use environment variables +- Use secret management tools +- Enable pre-commit secret scanning +- Rotate secrets regularly +- Audit git history periodically diff --git a/plugin.lock.json b/plugin.lock.json new file mode 100644 index 0000000..06f95bb --- /dev/null +++ b/plugin.lock.json @@ -0,0 +1,61 @@ +{ + "$schema": "internal://schemas/plugin.lock.v1.json", + "pluginId": "gh:jeremylongshore/claude-code-plugins-plus:plugins/security/secret-scanner", + "normalized": { + "repo": null, + "ref": "refs/tags/v20251128.0", + "commit": "4b880a5cd5caa6a571281cd90646cd5cca154eff", + "treeHash": "1d67562d991ebfab9319539a2a9b7a2670ef2ec631e77cae519067e020cbdb79", + "generatedAt": "2025-11-28T10:18:43.176183Z", + "toolVersion": "publish_plugins.py@0.2.0" + }, + "origin": { + "remote": "git@github.com:zhongweili/42plugin-data.git", + "branch": "master", + "commit": "aa1497ed0949fd50e99e70d6324a29c5b34f9390", + "repoRoot": "/Users/zhongweili/projects/openmind/42plugin-data" + }, + "manifest": { + "name": "secret-scanner", + "description": "Scan codebase for exposed secrets, API keys, passwords, and sensitive credentials", + "version": "1.0.0" + }, + "content": { + "files": [ + { + "path": "README.md", + "sha256": "3f4b3e617b8436f6e12bd1409e8bb1875e0bc1045ff4f39d31babe55feb74eab" + }, + { + "path": ".claude-plugin/plugin.json", + "sha256": "e601b8a54ccca0bc9edf228534fa3201b96dada15789cd9a40acf959971aa55f" + }, + { + "path": "commands/scan-secrets.md", + "sha256": "2084d9d6be2b7d9121f448e2eb384c319970ad077ad5b43ca31fae18604edfcb" + }, + { + "path": "skills/secret-scanner/SKILL.md", + "sha256": "9e5cad75b738054d74be19b427b22d7bb5139b8bd68490d8783983f056395ff8" + }, + { + "path": "skills/secret-scanner/references/README.md", + "sha256": "eddab9b50178a611954de926074089873f6c023a97f0f58cfacdc46eb827cff4" + }, + { + "path": "skills/secret-scanner/scripts/README.md", + "sha256": "cfcac5bc5249a5a9720979a0798aa47b7c6107b3c52159b0f899c0d603de5c6c" + }, + { + "path": "skills/secret-scanner/assets/README.md", + "sha256": "483a5ead80072cfb019736c6f61de7d6f6b3b6785a80d166dfc2c1c8e6ad9791" + } + ], + "dirSha256": "1d67562d991ebfab9319539a2a9b7a2670ef2ec631e77cae519067e020cbdb79" + }, + "security": { + "scannedAt": null, + "scannerVersion": null, + "flags": [] + } +} \ No newline at end of file diff --git a/skills/secret-scanner/SKILL.md b/skills/secret-scanner/SKILL.md new file mode 100644 index 0000000..444d79f --- /dev/null +++ b/skills/secret-scanner/SKILL.md @@ -0,0 +1,55 @@ +--- +name: scanning-for-secrets +description: | + This skill helps you scan your codebase for exposed secrets and credentials. It uses pattern matching and entropy analysis to identify potential security vulnerabilities such as API keys, passwords, and private keys. Use this skill when you want to proactively identify and remediate exposed secrets before they are committed to version control or deployed to production. It is triggered by phrases like "scan for secrets", "check for exposed credentials", "find API keys", or "run secret scanner". +allowed-tools: Read, Write, Edit, Grep, Glob, Bash +version: 1.0.0 +--- + +## Overview + +This skill enables Claude to scan your codebase for exposed secrets, API keys, passwords, and other sensitive credentials. It helps you identify and remediate potential security vulnerabilities before they are committed or deployed. + +## How It Works + +1. **Initiate Scan**: Claude activates the `secret-scanner` plugin. +2. **Codebase Analysis**: The plugin scans the codebase using pattern matching and entropy analysis. +3. **Report Generation**: A detailed report is generated, highlighting identified secrets, their locations, and suggested remediation steps. + +## When to Use This Skill + +This skill activates when you need to: +- Scan your codebase for exposed API keys (e.g., AWS, Google, Azure). +- Check for hardcoded passwords in configuration files. +- Identify potential private keys (SSH, PGP) accidentally committed to the repository. +- Proactively find secrets before committing changes. + +## Examples + +### Example 1: Identifying Exposed AWS Keys + +User request: "Scan for AWS keys in the codebase" + +The skill will: +1. Activate the `secret-scanner` plugin. +2. Scan the codebase for patterns matching AWS Access Keys (AKIA[0-9A-Z]{16}). +3. Generate a report listing any found keys, their file locations, and remediation steps (e.g., revoking the key). + +### Example 2: Checking for Hardcoded Passwords + +User request: "Check for exposed credentials in config files" + +The skill will: +1. Activate the `secret-scanner` plugin. +2. Scan configuration files (e.g., `database.yml`, `.env`) for password patterns. +3. Generate a report detailing any found passwords and suggesting the use of environment variables. + +## Best Practices + +- **Regular Scanning**: Schedule regular scans to catch newly introduced secrets. +- **Pre-Commit Hooks**: Integrate the `secret-scanner` into your pre-commit hooks to prevent committing secrets. +- **Review Entropy Analysis**: Carefully review results from entropy analysis, as they may indicate potential secrets not caught by pattern matching. + +## Integration + +This skill can be integrated with other security tools, such as vulnerability scanners, to provide a comprehensive security assessment of your codebase. It can also be combined with notification plugins to alert you when new secrets are detected. \ No newline at end of file diff --git a/skills/secret-scanner/assets/README.md b/skills/secret-scanner/assets/README.md new file mode 100644 index 0000000..fe9fae5 --- /dev/null +++ b/skills/secret-scanner/assets/README.md @@ -0,0 +1,7 @@ +# Assets + +Bundled resources for secret-scanner skill + +- [ ] report_template.html: HTML template for generating the secret scan report. +- [ ] example_report.html: Example of a generated secret scan report. +- [ ] ignore_patterns.txt: Default ignore patterns for files and directories to exclude from the scan. diff --git a/skills/secret-scanner/references/README.md b/skills/secret-scanner/references/README.md new file mode 100644 index 0000000..df70888 --- /dev/null +++ b/skills/secret-scanner/references/README.md @@ -0,0 +1,8 @@ +# References + +Bundled resources for secret-scanner skill + +- [ ] secret_patterns.md: A comprehensive list of regular expressions for detecting various types of secrets (API keys, passwords, etc.). +- [ ] entropy_analysis.md: Explanation of entropy analysis and its use in secret detection. +- [ ] remediation_guide.md: A guide on how to remediate different types of exposed secrets. +- [ ] supported_api_keys.md: List of supported API keys and their formats. diff --git a/skills/secret-scanner/scripts/README.md b/skills/secret-scanner/scripts/README.md new file mode 100644 index 0000000..6667efc --- /dev/null +++ b/skills/secret-scanner/scripts/README.md @@ -0,0 +1,7 @@ +# Scripts + +Bundled resources for secret-scanner skill + +- [ ] scan_directory.py: Recursively scans a directory for secrets, allowing specification of file types to include/exclude. +- [ ] validate_commit.sh: A pre-commit hook script that prevents commits containing secrets. +- [ ] report_generator.py: Generates a detailed HTML report of the scan results.