Agent-Skills.md

Agent Skills: Credentials Check

>-

UncategorizedID: akaihola/skills-akaihola/credentials-check

Repository

akaihola/skills-akaihola
akaihola
1

Install this agent skill to your local

pnpm dlx add-skill https://github.com/akaihola/skills-akaihola/tree/HEAD/credentials-check

Skill Files

Browse the full folder contents for credentials-check.

Download Skill

Loading file tree…

credentials-check/SKILL.md

Skill Metadata

Name
credentials-check
Description
>-

Credentials Check

Scan files, directories, or git repositories for accidentally committed credentials using Yelp's detect-secrets via uvx.

Quick Start

# Scan the current directory (git-tracked files only)
uvx detect-secrets scan

# Scan a specific directory (all files, including non-git)
uvx detect-secrets scan --all-files path/to/dir

# Scan the .git/ directory for credentials in git internals
uvx detect-secrets scan .git/

# Scan a single string
uvx detect-secrets scan --string 'AKIAIOSFODNN7EXAMPLE'

Interpreting Results

The output is JSON. A clean scan looks like:

{
  "results": {}
}

A finding looks like:

{
  "results": {
    "path/to/file.py": [
      {
        "type": "AWS Access Key",
        "filename": "path/to/file.py",
        "hashed_secret": "abc123...",
        "is_verified": false,
        "line_number": 42
      }
    ]
  }
}

When findings exist:

  1. Review each finding — some may be false positives (test data, example keys).
  2. For real secrets: remove the credential, rotate it, and add the file path to .secrets.baseline or an allowlist.
  3. For false positives: add an inline # pragma: allowlist secret comment, or exclude the pattern via --exclude-secrets.

Common Workflows

Pre-commit check

uvx detect-secrets scan > .secrets.baseline
uvx detect-secrets audit .secrets.baseline

Scan with custom entropy thresholds

uvx detect-secrets scan --base64-limit 5.0 --hex-limit 3.5

Disable noisy plugins

uvx detect-secrets scan --disable-plugin HexHighEntropyString

Scan non-git files

uvx detect-secrets scan --all-files .

Detected Secret Types

detect-secrets ships with 26 plugins covering:

| Plugin | Detects | |---------------------------|--------------------------------------| | AWSKeyDetector | AWS access keys and secret keys | | AzureStorageKeyDetector | Azure storage account keys | | BasicAuthDetector | Basic auth strings in URLs | | GitHubTokenDetector | GitHub personal access tokens | | GitLabTokenDetector | GitLab personal/project tokens | | JwtTokenDetector | JSON Web Tokens | | PrivateKeyDetector | PEM-encoded private keys | | Base64HighEntropyString | High-entropy base64 strings | | HexHighEntropyString | High-entropy hex strings | | KeywordDetector | Passwords, secrets, tokens in code | | OpenAIDetector | OpenAI API keys | | StripeDetector | Stripe API keys | | SlackDetector | Slack tokens and webhooks | | TwilioKeyDetector | Twilio API keys | | SendGridDetector | SendGrid API keys | | TelegramBotTokenDetector | Telegram bot tokens | | DiscordBotTokenDetector | Discord bot tokens | | MailchimpDetector | Mailchimp API keys | | NpmDetector | npm tokens | | PypiTokenDetector | PyPI API tokens | | ArtifactoryDetector | JFrog Artifactory tokens | | CloudantDetector | IBM Cloudant credentials | | IbmCloudIamDetector | IBM Cloud IAM keys | | IbmCosHmacDetector | IBM COS HMAC credentials | | SoftlayerDetector | SoftLayer API keys | | SquareOAuthDetector | Square OAuth tokens |

References

  • references/detect_secrets_cli.md — Full CLI reference and advanced options.