>_

check-secrets

Scan the codebase for potential secret leaks including API keys, tokens, passwords, hardcoded project IDs, and sensitive identifiers. Use when the user says "check for secrets", "scan for leaks", "security check", or before committing sensitive changes.

$ Installieren

git clone https://github.com/nozomi-koborinai/koborin-ai /tmp/koborin-ai && cp -r /tmp/koborin-ai/.claude/skills/check-secrets ~/.claude/skills/koborin-ai

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: check-secrets description: Scan the codebase for potential secret leaks including API keys, tokens, passwords, hardcoded project IDs, and sensitive identifiers. Use when the user says "check for secrets", "scan for leaks", "security check", or before committing sensitive changes.

check-secrets

Scan the codebase for potential secret leaks before commits.

Trigger Examples

  • "Check for secrets"
  • "Scan for leaks"
  • "Security check"
  • "Are there any hardcoded secrets?"

Execution Flow

1. Define Detection Patterns

High-risk patterns:

  • API keys: ['\"]?[A-Z0-9_]{20,}['\"]?
  • Bearer tokens: Bearer\s+[A-Za-z0-9\-._~+/]+=*
  • Private keys: -----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----
  • OAuth secrets: client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,}
  • GCP service account keys: "type":\s*"service_account"
  • AWS credentials: AKIA[0-9A-Z]{16}

Project-specific patterns:

  • Hardcoded project IDs: koborin-ai (outside of variable assignments or docs)
  • Email addresses: @koborin\.ai

Safe patterns (excluded):

  • Environment variable references: process.env., $\{, TF_VAR_
  • Placeholder values: <PROJECT_ID>, YOUR_API_KEY, dummy, example
  • Test fixtures: files under __tests__/, *.test.ts, *.spec.ts

2. Scan the Codebase

Use git ls-files to get tracked files:

git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \
  grep -v -E '^(node_modules|\.next|dist|build|coverage)/'

3. Filter False Positives

Remove known safe occurrences:

  • Lines containing process.env. or TF_VAR_
  • Template files (.env.example, .env.template)
  • Lines with placeholder patterns (<...>, YOUR_..., REPLACE_ME)

4. Categorize Findings

Critical (immediate action required):

  • Private keys, service account JSON
  • Hardcoded passwords or tokens
  • Real API keys with valid format

Warning (review recommended):

  • Suspicious long strings that might be keys
  • Hardcoded project IDs outside infrastructure code

Info (low risk):

  • Company name in unexpected places
  • Domain references in application code

5. Display Results

CRITICAL: Potential private key detected
  File: infra/shared/main.tf
  Line: 42
  Match: -----BEGIN PRIVATE KEY-----

WARNING: Hardcoded project ID
  File: app/src/lib/api-client.ts
  Line: 15
  Match: const PROJECT = "koborin-ai"

Summary:
- Critical: 1 finding(s)
- Warning: 1 finding(s)

Review these findings before committing.

Project-Specific Rules

For koborin-ai:

  • Allow koborin-ai in infra/ and README.md
  • Flag it in app/src/ unless from environment variable
  • Allow email addresses in documentation
  • Flag GCP project IDs when hardcoded outside Pulumi config

Notes

  • This is static analysis only; cannot detect runtime-loaded secrets
  • Always review findings manually
  • Run before every commit
  • Never commit real secrets even if undetected

Repository

nozomi-koborinai
nozomi-koborinai
Author
nozomi-koborinai/koborin-ai/.claude/skills/check-secrets
6
Stars
0
Forks
Updated4d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
docstring
pytorch/pytorch
95.4k
at-dispatch-v2
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k
skill-installer
openai/codex
54.7k