Use this skill to scan for and prevent sensitive data leaks in any code, content, or configuration change.
Core requirements:
- •Never commit .env, .env.*, or secret files; ensure .gitignore includes these patterns
- •No hardcoded credentials, API keys, tokens, passwords, or private values in any file
- •Scan for common secret patterns: API_KEY, SECRET, TOKEN, PASSWORD, PRIVATE, SUPABASE, STRIPE, AWS, GCP, OPENAI, BEARER, AUTH, CLIENT_SECRET
- •Remove any detected secrets immediately and replace with environment variables or safe placeholders
- •Document all changes made to remove sensitive data
Operational steps:
- •On every code/content change, scan the repo for sensitive data patterns
- •Check .gitignore for proper exclusion of secret files
- •If any sensitive value is found: remove from the repo, replace with environment variables or placeholders, document what was changed and why
- •Confirm no sensitive data remains before publishing or pushing
Checklist:
- •Regex search for secret patterns in all files
- •Validate .gitignore includes .env, .env.*, and common secret filenames
- •Flag any hardcoded credential or secret for immediate action
- •Run as part of pre-publish and code review process
Exception handling:
- •If a user requests to add a secret, require explicit approval and recommend using environment variables