Secret Guard
Prevent secret leakage via git. Cross-platform, Python stdlib only (no pip install).
Pre-Commit Check (DEFAULT)
Run before ANY commit that touches config, env, auth, or infra files:
python scripts/scan_secrets.py staged
Exit 0 = clean, exit 1 = findings. If findings exist, do NOT commit — remove or move secrets to env vars first.
Full Repo Audit
Scan all tracked files:
python scripts/scan_secrets.py tracked
Gitignore Coverage Audit
Verify .gitignore covers common sensitive file patterns:
python scripts/scan_secrets.py gitignore
Reports which patterns (.env, *.pem, *.key, credentials.json, etc.) are NOT covered.
When User Mentions Secrets/Credentials
If the user discusses API keys, tokens, passwords, or sensitive config:
- •Run
python scripts/scan_secrets.py stagedto check if anything sensitive is staged - •Run
python scripts/scan_secrets.py gitignoreto verify .gitignore coverage - •If findings: list them clearly with remediation steps
- •If clean: confirm no secrets detected
Remediation Workflow
When secrets are found:
- •Unstage the file:
git reset HEAD <file> - •Move secret to env var: replace hardcoded value with
os.environ["KEY"]/process.env.KEYetc. - •Add to .gitignore if the file is inherently sensitive (.env, *.pem, credentials.json)
- •If already committed: warn the user that the secret is in git history and suggest
git filter-repoor rotating the credential - •Re-scan:
python scripts/scan_secrets.py staged
What Gets Detected
- •Sensitive files: .env, *.pem, *.key, *.p12, credentials.json, id_rsa, kubeconfig, etc.
- •Content patterns: AWS keys (AKIA...), GitHub tokens (ghp_/github_pat_), GCP API keys, Stripe keys, Slack tokens, private key blocks (-----BEGIN ... PRIVATE KEY-----), JWT tokens, database connection strings, password/secret variable assignments, and 30+ provider-specific patterns
- •Gitignore gaps: checks whether common sensitive file types are covered by .gitignore rules
For the full pattern catalog, see references/patterns.md.