AgentSkillsCN

secrets-detector

检测源代码中的硬编码密钥、API 密钥、密码及凭据。当您需要排查代码泄露风险、防范凭据暴露,或在提交代码前进行安全检查时,可使用此功能。

SKILL.md
--- frontmatter
name: secrets-detector
description: Detects hardcoded secrets, API keys, passwords, and credentials in source code. Use when checking for leaked secrets, credential exposure, or before committing code.

Secrets Detector

Quick Start

Scan for secrets using gitleaks:

bash
# Install
brew install gitleaks  # macOS
# or
pip install detect-secrets

# Scan current directory
gitleaks detect --source .

Instructions

Step 1: Choose Detection Tool

Gitleaks (recommended):

bash
gitleaks detect --source . --verbose

detect-secrets:

bash
detect-secrets scan . --all-files

Manual grep patterns:

bash
grep -rn "AKIA[0-9A-Z]{16}" .  # AWS Access Key
grep -rn "ghp_[a-zA-Z0-9]{36}" .  # GitHub Token

Step 2: Scan for Common Patterns

Secret TypePatternExample
AWS Access KeyAKIA[0-9A-Z]{16}AKIAIOSFODNN7EXAMPLE
AWS Secret Key[A-Za-z0-9/+=]{40}wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
GitHub Tokenghp_[a-zA-Z0-9]{36}ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
GitHub OAuthgho_[a-zA-Z0-9]{36}gho_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Slack Tokenxox[baprs]-[0-9a-zA-Z-]+xoxb-123456789-abcdefghij
Private Key-----BEGIN.*PRIVATE KEY-----RSA/EC private keys
Generic API Keyapi[_-]?key.*=.*['\"][a-zA-Z0-9]{20,}api_key = "abc123..."
Generic Passwordpassword.*=.*['\"][^'\"]+['\"]password = "secret123"

Step 3: Check Git History

Secrets may exist in git history even if removed:

bash
# Scan entire git history
gitleaks detect --source . --log-opts="--all"

# Check specific commits
git log -p --all -S 'password' --source

Step 4: Categorize Findings

Critical - Immediate rotation required:

  • Cloud provider credentials (AWS, GCP, Azure)
  • Database connection strings
  • Private keys

High - Rotate soon:

  • API keys for external services
  • OAuth tokens
  • Webhook secrets

Medium - Review and rotate:

  • Internal service tokens
  • Test credentials that might be reused

Step 5: Report Findings

markdown
## Secrets Detection Report

### Critical (1)
1. **AWS Secret Key** - config/aws.js:12
   - Type: AWS credentials
   - Action: Rotate immediately in AWS console

### High (2)
1. **GitHub Token** - scripts/deploy.sh:45
   - Type: Personal access token
   - Action: Revoke and regenerate

2. **Slack Webhook** - src/notifications.js:23
   - Type: Incoming webhook URL
   - Action: Regenerate webhook

Prevention

Pre-commit Hook

bash
# .pre-commit-config.yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

.gitignore Patterns

gitignore
# Environment files
.env
.env.local
.env.*.local

# Key files
*.pem
*.key
*_rsa
*_ecdsa
*_ed25519

# Config with secrets
config/secrets.yml
credentials.json

Environment Variables

Move secrets to environment variables:

javascript
// BAD
const apiKey = "sk-abc123...";

// GOOD
const apiKey = process.env.API_KEY;

Common False Positives

  • Example/placeholder values in documentation
  • Test fixtures with fake credentials
  • Base64-encoded non-secret data
  • Hash values (SHA, MD5)

Review each finding to confirm it's a real secret before taking action.