Auto Secret Scanner

Scans code for hardcoded API keys, tokens, passwords, and credentials from 30+ providers before they can be committed, blocking commits that contain secrets.

When to Use This Hook

Attach this hook when you need to:

• Prevent API keys from Anthropic, OpenAI, AWS, Stripe, and other providers from entering git history
• Scan every Bash command involving git commits for staged files containing secrets
• Enforce environment variable usage instead of hardcoded credentials across the codebase

Consider alternatives when:

• You use a dedicated secrets management service with automated credential rotation
• Your CI pipeline already runs tools like Gitleaks or TruffleHog on every push

Quick Start

Configuration

Copy
name: auto-secret-scanner
type: hook
trigger: PreToolUse
category: security

Example Trigger

Copy
# Hook triggers before a git commit command
claude> git commit -m "add payment integration"
# Scanner checks staged files for hardcoded secrets

Example Output

Secret Scanner: Scanning staged files...
  src/services/payment.ts:
    Line 12: Stripe key detected (sk_live_...)
    Line 45: AWS access key detected (AKIA...)
  BLOCKED: 2 secrets found in staged files
  Fix: Move secrets to .env and use process.env

Core Concepts

Detection Coverage Overview

Aspect	Details
Anthropic	sk-ant-... API key pattern
OpenAI	sk-... API key pattern
AWS	AKIA... access key ID pattern
Stripe	sk_live_..., pk_live_... key patterns
GitHub	ghp_..., gho_..., ghu_... token patterns
Google	AIza... API key pattern

Scanning Workflow

Git Commit Intercepted
         |
   Get Staged Files
         |
   For Each File:
         |
   Scan Line by Line
         |
   Match Against 30+
   Provider Patterns
         |
   ┌─────┴─────┐
   |           |
No Secrets  Found
   |           |
  ALLOW     BLOCK
  Commit    + Report File,
            Line, Provider

Configuration

Parameter	Type	Default	Description
provider_patterns	object	30+ built-in	Regex patterns mapped to provider names
scan_extensions	string[]	["*"]	File extensions to scan (all by default)
exclude_patterns	string[]	["*.test.*","*.md"]	File patterns to skip scanning
allow_env_files	boolean	false	Allow secrets in .env files (they should be gitignored)
custom_patterns	object	{}	Additional regex patterns for internal secret formats

Best Practices

1. Scan All File Types - Secrets can appear in unexpected places: YAML configs, Dockerfiles, markdown docs, and shell scripts. Scan everything by default and use a narrow exclusion list.

2. Include .env in .gitignore - The scanner catches secrets in code, but .env files should never reach git. Ensure .gitignore includes .env* patterns as a complementary defense layer.

3. Add Custom Patterns for Internal Keys - If your organization uses a specific key format (e.g., myco_key_...), add it to custom_patterns so internal credentials are caught alongside third-party ones.

4. Update Patterns Regularly - Providers change their key formats over time. Review and update detection patterns quarterly to maintain coverage against new key formats.

5. Provide Remediation Guidance - When blocking a commit, tell the developer exactly how to fix the issue: which file, which line, and the specific command to move the secret to an environment variable.

Common Issues

1. False Positives on Test Data - Test fixtures may contain fake API keys that match real patterns. Exclude test directories or add a # secret-scanner:ignore comment mechanism for known-safe values.

2. Base64 Encoded Secrets - Simple regex patterns miss secrets that are base64 encoded or split across multiple lines. Consider adding base64 decoding as a pre-processing step for thorough scanning.

3. Performance on Large Commits - Scanning hundreds of staged files line-by-line can be slow. Limit scanning to changed lines (git diff) rather than full file contents for better performance.