Skip to content

Secret Detector

Caution

Scans codebases, configuration files, and git history for exposed credentials, API keys, tokens, and other sensitive secrets that should not be committed.

By AppSec Skills 3,280 v1.6.0 Updated 2026-03-10

Install

Claude Code

Copy the SKILL.md file to your project's .claude/skills/ directory

About This Skill

Secret Detector scans your codebase for exposed credentials and sensitive secrets. It uses pattern matching and entropy analysis to find API keys, database passwords, private keys, OAuth tokens, and other credentials that should never be committed to version control.

How It Works

  1. Pattern scanning — Matches against 200+ known secret patterns (AWS keys, GitHub tokens, Stripe keys, JWT secrets, etc.)
  2. Entropy analysis — Detects high-entropy strings that may be randomly generated secrets
  3. Git history scan — Examines all commits, including deleted files and force-pushed history
  4. Context analysis — Distinguishes real secrets from test fixtures, examples, and documentation
  5. Remediation advice — Provides steps to rotate compromised secrets and prevent future leaks

Best For

  • Pre-commit hooks to prevent secret leaks before they happen
  • Auditing repositories after team member offboarding
  • Compliance checks for SOC 2 and PCI DSS requirements
  • Reviewing open-source contributions for accidental secret exposure

Detection Coverage

Covers AWS, GCP, Azure, GitHub, GitLab, Slack, Stripe, Twilio, SendGrid, database connection strings, private keys (RSA, SSH, PGP), and JWT signing secrets.

Use Cases

  • Pre-commit scan for accidentally staged secrets
  • Full repository scan including git history for leaked keys
  • Audit .env files, docker-compose, and CI config for hardcoded credentials
  • Verify .gitignore properly excludes secret-containing files

Pros & Cons

Pros

  • + 200+ built-in patterns covering major cloud and SaaS providers
  • + Git history scanning catches secrets in deleted commits
  • + Context-aware reduces false positives from test fixtures

Cons

  • - Cannot rotate or revoke found secrets automatically
  • - Entropy-based detection may flag non-secret random strings

Related AI Tools

Snyk

Snyk

Freemium

AI-powered developer security platform for code, dependencies, and containers

  • AI-powered static application security testing (SAST)
  • Open-source dependency vulnerability scanning (SCA)
  • Container image security scanning
Get Started →
GitHub Copilot

GitHub Copilot

Freemium

AI pair programmer that suggests code in real time across your IDE

  • Real-time code completions across 30+ languages
  • Copilot Chat for natural language code Q&A
  • Pull request description and summary generation
Get Started →

Related Skills

Dependency Audit

Caution
CC Cu Cx

Analyzes project dependencies for known vulnerabilities (CVEs), license compliance issues, outdated packages, and supply chain security risks.

2,950 security
View

Stay Updated on Agent Skills

Get weekly curated skills + safety alerts

每周精选 Skills + 安全预警