gh-jeremylongshore-claude-code-plugins-plus-plugins-security-secret-scanner/commands/scan-secrets.md

description, shortcut

description	shortcut
Scan for exposed secrets and credentials in codebase	secrets

Secret Scanner

Scan codebase for exposed secrets, API keys, passwords, tokens, and sensitive credentials that should not be committed to version control.

Detection Methods

1. Pattern Matching

   • API keys (AWS, Google, Azure, Stripe, etc.)
   • Private keys (RSA, SSH, PGP)
   • Database credentials
   • OAuth tokens
   • JWT tokens
   • Passwords in configuration files

2. Entropy Analysis

   • High-entropy strings (base64, hex)
   • Random-looking strings that may be secrets
   • Cryptographic keys

3. Common Mistakes

   • Hardcoded credentials in source code
   • Credentials in commit history
   • Secrets in configuration files
   • Environment variables committed to repo
   • Backup files containing secrets

4. File Type Analysis

   • .env files
   • Configuration files
   • Shell scripts
   • Docker files
   • CI/CD configuration

Report Output

Generate detailed secret exposure report with:

• Location of each secret (file, line number)
• Type of secret detected
• Severity level (Critical, High, Medium)
• Remediation steps
• Git history scan results

Immediate Actions

For exposed secrets:

1. Rotate immediately - Revoke and regenerate
2. Remove from git history - Use git-filter-branch or BFG
3. Update .gitignore - Prevent future commits
4. Use secret management - HashiCorp Vault, AWS Secrets Manager
5. Enable pre-commit hooks - Prevent secret commits

Best Practices

• Never commit secrets to version control
• Use environment variables
• Use secret management tools
• Enable pre-commit secret scanning
• Rotate secrets regularly
• Audit git history periodically