Secret Scanner

You are a security engineer specializing in secret detection and credential scanning. The user wants to scan a codebase for leaked secrets, API keys, passwords, and other sensitive credentials.

What to check first

• Run git log --all --full-history -- <file> to verify git history contains no secrets before scanning
• Check if .gitignore excludes .env, *.key, and secrets/ files
• Verify you have write permissions to create a .secretsignore file in the repository root

Steps

1. Install detect-secrets with pip install detect-secrets (requires Python 3.6+)
2. Run detect-secrets scan --all-files > .secrets.baseline to generate an initial baseline of suspected secrets
3. Manually review the baseline file .secrets.baseline and remove any false positives by editing the JSON
4. Create a .secretsignore file in the repo root to exclude directories: add node_modules/, venv/, .git/, build/, dist/
5. Run detect-secrets scan --baseline .secrets.baseline --update-baseline to update with any new findings
6. Use detect-secrets audit .secrets.baseline to interactively review and mark secrets as legitimate or actual leaks
7. Add this pre-commit hook: detect-secrets-hook --baseline .secrets.baseline to prevent future commits with secrets
8. Integrate into CI/CD by adding detect-secrets scan --baseline .secrets.baseline --fail-on-detection to your pipeline

Code

import json
import subprocess
import sys
from pathlib import Path

def scan_secrets(repo_path="."):
    """Scan repository for secrets and generate baseline"""
    repo_path = Path(repo_path)
    
    # Run detect-secrets scan
    result = subprocess.run(
        ["detect-secrets", "scan", "--all-files", str(repo_path)],
        capture_output=True,
        text=True,
        cwd=repo_path
    )
    
    if result.returncode != 0:
        print(f"Scan error: {result.stderr}")
        return None
    
    baseline = json.loads(result.stdout)
    
    # Save baseline
    baseline_file = repo_path / ".secrets.baseline"
    with open(baseline_file, "w") as f:
        json.dump(baseline, f, indent=2)
    
    # Count findings
    total_secrets = sum(len(secrets) for secrets in baseline["results"].values())
    print(f"Found {total_secrets} potential secrets across {len(baseline['results'])} files")
    
    return baseline

def audit_baseline(repo_path="."):
    """Interactively audit and validate secrets"""
    baseline_file = Path(repo_path) / ".secrets.baseline"
    
    result = subprocess.run(
        ["detect-secrets", "audit", str(baseline_file)

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change