Agent-Skills.md

Agent Skills: Secret Scanner

Scans codebase for hardcoded secrets with severity classification and remediation guidance. Use when auditing a project for leaked credentials.

UncategorizedID: levnikolaevich/claude-code-skills/ln-761-secret-scanner

Repository

levnikolaevich/claude-code-skills
levnikolaevichLicense: MIT
29647

Install this agent skill to your local

pnpm dlx add-skill https://github.com/levnikolaevich/claude-code-skills/tree/HEAD/skills-catalog/ln-761-secret-scanner

Skill Files

Browse the full folder contents for ln-761-secret-scanner.

Download Skill

Loading file tree…

skills-catalog/ln-761-secret-scanner/SKILL.md

Skill Metadata

Name
ln-761-secret-scanner
Description
"Scans codebase for hardcoded secrets with severity classification and remediation guidance. Use when auditing a project for leaked credentials."

Paths: File paths (shared/, references/, ../ln-*) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If shared/ is missing, fetch files via WebFetch from https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}.

Secret Scanner

Type: L3 Worker Category: 7XX Bootstrap

Scans codebase for hardcoded secrets and credentials, returning structured findings for remediation.

Purpose & Scope

  • Detect hardcoded secrets using available tools (gitleaks, trufflehog) or manual patterns
  • Classify findings by severity (Critical/High/Medium/Low)
  • Filter false positives via baseline and allowlists
  • Provide remediation guidance per finding type
  • Return normalized report to parent orchestrator (ln-760)

When to Use

  • During project bootstrap (via ln-760-security-setup)
  • Pre-commit hook validation
  • CI/CD security pipeline
  • Manual security audit

Workflow

Phase 1: Tool Detection

Step 1: Check Available Scanners

  • Check if gitleaks is installed (preferred)
  • Check if trufflehog is installed (alternative)
  • If neither available: use manual pattern matching as fallback

Step 2: Load Configuration

  • Load project .gitleaks.toml if exists (custom rules)
  • Load .gitleaksbaseline if exists (known false positives)
  • If no config: use default patterns from references/detection_patterns.md

Phase 2: Scan Execution

Step 1: Run Available Scanner

  • Execute scanner against project root
  • Capture output in structured format (JSON/SARIF preferred)
  • If tool unavailable: run manual grep patterns for high-confidence secrets

Step 2: Parse Results

  • Normalize output to common format: file, line, pattern, raw_match
  • Preserve original severity if provided by tool

Phase 3: Report Generation

Step 1: Severity Classification

  • Map findings to severity levels per references/detection_patterns.md
  • Critical: AWS keys, private keys, JWT secrets
  • High: Generic passwords, connection strings
  • Medium: API keys (may be test data)
  • Low: Potential secrets requiring manual review

Step 2: False Positive Filtering

  • Apply baseline exclusions
  • Apply allowlist patterns (placeholders, test data, docs)
  • Mark filtered items as "excluded" with reason

Step 3: Build Report

  • Group findings by severity
  • Include file path, line number, pattern matched
  • Do NOT include actual secret values in report

Phase 4: Remediation Guidance

Step 1: Attach Remediation Actions

  • For each finding, attach remediation steps from references/remediation_guide.md
  • For Critical findings: emphasize immediate rotation requirement

Step 2: Return Results

  • Return structured findings list to orchestrator
  • Include summary: total scanned, total found, by severity

Critical Rules

  1. Never log actual secret values - redact in all outputs
  2. Treat any found secret as compromised - rotation required for Critical
  3. Preserve baseline - do not remove existing baseline entries
  4. Pre-commit priority - recommend pre-commit hook if not configured
  5. Git history awareness - warn if secret may exist in history (requires git-filter-repo)

Definition of Done

  • [ ] Scan completed using available tool or manual patterns
  • [ ] Findings classified by severity
  • [ ] False positives filtered via baseline/allowlist
  • [ ] Remediation guidance attached to each finding
  • [ ] Report returned in normalized format (no raw secret values)
  • [ ] Critical findings flagged with rotation requirement

Reference Files

| File | Purpose | |------|---------| | references/detection_patterns.md | Secret patterns by confidence level | | references/gitleaks_config_template.toml | Template for project gitleaks config | | references/remediation_guide.md | Rotation procedures by secret type |

Version: 2.0.0 Last Updated: 2026-01-10