Initial commit

commands/scan-secrets.md

@@ -0,0 +1,64 @@
+---
+description: Scan for exposed secrets and credentials in codebase
+shortcut: secrets
+---
+
+# Secret Scanner
+
+Scan codebase for exposed secrets, API keys, passwords, tokens, and sensitive credentials that should not be committed to version control.
+
+## Detection Methods
+
+1. **Pattern Matching**
+   - API keys (AWS, Google, Azure, Stripe, etc.)
+   - Private keys (RSA, SSH, PGP)
+   - Database credentials
+   - OAuth tokens
+   - JWT tokens
+   - Passwords in configuration files
+
+2. **Entropy Analysis**
+   - High-entropy strings (base64, hex)
+   - Random-looking strings that may be secrets
+   - Cryptographic keys
+
+3. **Common Mistakes**
+   - Hardcoded credentials in source code
+   - Credentials in commit history
+   - Secrets in configuration files
+   - Environment variables committed to repo
+   - Backup files containing secrets
+
+4. **File Type Analysis**
+   - .env files
+   - Configuration files
+   - Shell scripts
+   - Docker files
+   - CI/CD configuration
+
+## Report Output
+
+Generate detailed secret exposure report with:
+- Location of each secret (file, line number)
+- Type of secret detected
+- Severity level (Critical, High, Medium)
+- Remediation steps
+- Git history scan results
+
+## Immediate Actions
+
+For exposed secrets:
+1. **Rotate immediately** - Revoke and regenerate
+2. **Remove from git history** - Use git-filter-branch or BFG
+3. **Update .gitignore** - Prevent future commits
+4. **Use secret management** - HashiCorp Vault, AWS Secrets Manager
+5. **Enable pre-commit hooks** - Prevent secret commits
+
+## Best Practices
+
+- Never commit secrets to version control
+- Use environment variables
+- Use secret management tools
+- Enable pre-commit secret scanning
+- Rotate secrets regularly
+- Audit git history periodically