S
Secrets Scanner Instant
All-in-one command covering scan, codebase, exposed, secrets. Includes structured workflows, validation checks, and reusable patterns for security.
CommandClipticssecurityv1.0.0MIT
0 views0 copies
Secrets Scanner Instant
Scan your entire codebase for exposed secrets including API keys, database credentials, private keys, and authentication tokens, then provide remediation guidance.
When to Use This Command
Run this command when...
- You need to audit your repository for accidentally committed API keys, passwords, or connection strings
- You are onboarding a new team member and want to verify no secrets are hardcoded in the codebase
- You want to scan git history for secrets that were committed and then removed but still exist in older commits
- You need to generate
.gitignoreentries and secure configuration templates to prevent future secret exposure - You are preparing for a security compliance audit and need a documented secrets inventory
Quick Start
# .claude/commands/secrets-scanner-instant.yaml name: Secrets Scanner Instant description: Scan codebase for exposed secrets with remediation guidance inputs: - name: scope description: "Scan scope: files, history, or full" default: "files"
# Scan current files for secrets claude "secrets-scanner-instant" # Scan git history for previously committed secrets claude "secrets-scanner-instant --scope history" # Full scan with remediation report claude "secrets-scanner-instant --scope full"
Output:
[scan] Scanning 847 files across 12 directories...
Findings:
CRITICAL: AWS_SECRET_KEY in src/config.js:23
HIGH: Database password in docker-compose.yml:18
MEDIUM: JWT_SECRET hardcoded in auth.ts:45
LOW: Internal API URL in constants.ts:12
[remediate] Generated .env.example with 4 variables
[gitignore] Added 3 entries to .gitignore
Done. 4 secrets found. Remediation steps provided.
Core Concepts
| Concept | Description |
|---|---|
| Pattern Matching | Regex-based detection for API key formats (AWS, Google, Stripe, GitHub), connection strings, and private keys |
| Git History Scan | Examines all commits in the repository history, not just current files, to find secrets that were later removed |
| Risk Classification | Secrets scored by type: Critical (cloud credentials), High (database), Medium (app secrets), Low (internal URLs) |
| Remediation Guidance | For each finding, provides steps to rotate the secret, move it to environment variables, and prevent reoccurrence |
| Prevention Tools | Generates .gitignore entries, .env.example templates, and pre-commit hook configurations |
Detection Categories:
ββββββββββββββββββββββββββββββββββββββββββββββ
β Secrets Scanner β
ββββββββββββ¬βββββββββββ¬βββββββββββ¬ββββββββββββ€
β API Keys β DB Creds β Priv Keysβ Auth Tokensβ
β AWS,GCP β Postgres β SSH, SSL β JWT, OAuth β
β Stripe β MongoDB β PEM, P12 β Session β
β GitHub β Redis β PKCS β API Token β
ββββββββββββ΄βββββββββββ΄βββββββββββ΄ββββββββββββ
Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
scope | string | "files" | Scan scope: files (current), history (git log), or full (both) |
severity | string | "low" | Minimum severity to report: low, medium, high, critical |
fix | boolean | false | Auto-generate .env.example and update .gitignore |
exclude | string | "node_modules,dist" | Directories to exclude from scanning (comma-separated) |
format | string | "terminal" | Output format: terminal, markdown, or json |
Best Practices
- Scan before every public release -- A single exposed API key in a public repository can be exploited within minutes. Scan before open-sourcing code or publishing to package registries.
- Include history scans periodically -- Secrets removed from current files still exist in git history. Run
--scope historymonthly to catch secrets that were committed and then deleted. - Rotate compromised secrets immediately -- Finding a secret in code means it may already be compromised. Rotate the credential on the provider's dashboard before removing it from the code.
- Use the generated .env.example -- The command produces a template with variable names but no values. Commit this file so new team members know which environment variables to configure.
- Install pre-commit hooks -- After scanning, set up a pre-commit hook that runs the scanner on staged files to prevent new secrets from being committed.
Common Issues
- False positives on test fixtures -- Test files may contain mock API keys or example credentials that trigger alerts. Use
--exclude test,fixturesor add inline ignore comments. - Large repositories scan slowly -- Repositories with extensive git history may take minutes to scan fully. Use
--scope filesfor quick checks and reserve full history scans for scheduled audits. - Encrypted secrets flagged -- Encrypted or hashed values may match secret patterns. Review each finding to determine if the value is actually exposed or safely encrypted.
Community
Reviews
No reviews yet. Be the first to review this template!
Similar Templates
$
Git Commit Message Generator
Generates well-structured conventional commit messages by analyzing staged changes. Follows Conventional Commits spec with scope detection.
Command
60
View β$
React Component Scaffolder
Scaffolds a complete React component with TypeScript types, Tailwind styles, Storybook stories, and unit tests. Follows project conventions automatically.
Command
00
View β$
CI/CD Pipeline Generator
Generates GitHub Actions workflows for CI/CD including linting, testing, building, and deploying. Detects project stack automatically.
Command
00
View β