secret-scanner
扫描文件、存储库和目录以查找泄露的机密 — API 密钥、令牌、密码、连接字符串、私钥和凭据。检测所有主要云提供商和服务中的 40 多种秘密模式。
安装 / 下载方式
TotalClaw CLI推荐
totalclaw install totalclaw:totalclaw~nirwandogra-nirwan-secret-scannercURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/totalclaw%3Atotalclaw~nirwandogra-nirwan-secret-scanner/file -o nirwandogra-nirwan-secret-scanner.md## 概述(中文) 扫描文件、存储库和目录以查找泄露的机密 — API 密钥、令牌、密码、连接字符串、私钥和凭据。检测所有主要云提供商和服务中的 40 多种秘密模式。 ## 原文 # Secret Scanner Security skill that scans code, config files, and repos for accidentally leaked secrets and credentials. ## When to Use This Skill Use this skill when the user: - Asks to "check for leaked secrets" or "scan for API keys" - Wants to audit a repo or folder before committing or publishing - Says "are there any hardcoded passwords in this code?" - Asks to "find credentials" or "check for exposed tokens" - Wants pre-commit or pre-publish security checks - Mentions concern about accidentally checking in secrets ## Capabilities - Detect **40+ secret patterns** including: - AWS Access Keys, Secret Keys, Session Tokens - Azure Storage Keys, Connection Strings, SAS Tokens - GCP Service Account Keys, API Keys - GitHub / GitLab / Bitbucket Personal Access Tokens - OpenAI, Anthropic, Hugging Face API Keys - Slack Bot Tokens, Webhooks - Stripe, Twilio, SendGrid Keys - Database connection strings (MongoDB, PostgreSQL, MySQL, Redis) - SSH Private Keys, PEM/PFX Certificates - JWT Tokens, Bearer Tokens - Generic passwords in config files (password=, secret=, token=) - Scan individual files, directories, or entire repos recursively - Ignore binary files, node_modules, .git, and other non-relevant paths - Output results as Markdown report or JSON - Provide severity ratings (Critical, High, Medium, Low) - Suggest remediation for each finding ## How to Scan ### Scan a directory ```bash python secret_scanner.py /path/to/project ``` ### Scan with JSON output ```bash python secret_scanner.py /path/to/project --json ``` ### Scan and save report ```bash python secret_scanner.py /path/to/project --output report.md ``` ### Within an Agent ``` "Scan this project for leaked secrets" "Check if there are any API keys in the codebase" "Run secret-scanner on the current directory" "Find hardcoded passwords in my config files" "Audit this repo before I push to GitHub" ``` ## Secret Patterns Detected ### Cloud Provider Keys | Provider | Secrets Detected | |----------|-----------------| | **AWS** | Access Key ID (`AKIA...`), Secret Access Key, Session Token | | **Azure** | Storage Account Key, Connection String, SAS Token, Client Secret | | **GCP** | API Key (`AIza...`), Service Account JSON, OAuth Client Secret | ### AI / LLM Keys | Service | Pattern | |---------|---------| | **OpenAI** | `sk-` prefixed API keys | | **Anthropic** | `sk-ant-` prefixed keys | | **Hugging Face** | `hf_` prefixed tokens | | **Cohere** | API keys in config | ### Developer Platforms | Platform | Secrets Detected | |----------|-----------------| | **GitHub** | `ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_` tokens | | **GitLab** | `glpat-` tokens | | **Slack** | `xoxb-`, `xoxp-`, `xoxs-` tokens, webhook URLs | | **Stripe** | `sk_live_`, `sk_test_`, `rk_live_` keys | | **Twilio** | Account SID, Auth Token | | **SendGrid** | `SG.` prefixed API keys | ### Databases & Infrastructure | Type | Pattern | |------|---------| | **MongoDB** | `mongodb://` or `mongodb+srv://` with credentials | | **PostgreSQL** | `postgresql://` with embedded password | | **MySQL** | `mysql://` with embedded password | | **Redis** | `redis://` with password | | **SSH** | `-----BEGIN (RSA\|EC\|OPENSSH) PRIVATE KEY-----` | | **Certificates** | PEM, PFX, P12 with embedded keys | ### Generic Patterns | Pattern | Description | |---------|-------------| | **password=** | Hardcoded passwords in config/env files | | **secret=** | Hardcoded secrets | | **token=** | Hardcoded tokens | | **Bearer** | Bearer tokens in code | | **Basic Auth** | Base64-encoded basic auth headers | | **JWT** | `eyJ` prefixed JWT tokens | | **High Entropy** | Long random strings that look like secrets | ## Severity Levels | Severity | Description | Examples | |----------|-------------|----------| | 🔴 **Critical** | Active production credentials | AWS Secret Key, Private Keys, DB passwords | | 🟠 **High** | Service tokens with broad access | GitHub PAT, Slack Bot Token, Stripe Live Key | | 🟡 **Medium** | Keys that may be test/dev | Test API keys, example tokens | | 🟢 **Low** | Potential false positives | Generic password= in comments, placeholder values | ## Files Scanned Scans these file types by default: - Source code: `.py`, `.js`, `.ts`, `.java`, `.go`, `.rb`, `.php`, `.cs`, `.rs` - Config: `.json`, `.yaml`, `.yml`, `.toml`, `.ini`, `.cfg`, `.conf` - Environment: `.env`, `.env.local`, `.env.production` - Shell: `.sh`, `.bash`, `.zsh`, `.ps1` - Docs: `.md`, `.txt` - Other: `Dockerfile`, `docker-compose.yml`, `Makefile` ## Ignored Paths Automatically skips: - `node_modules/`, `vendor/`, `venv/`, `.venv/` - `.git/`, `.svn/` - `__pycache__/`, `.pytest_cache/` - Binary files, images, compiled outputs - `package-lock.json`, `yarn.lock` ## Remediation Guidance When secrets are found, the skill recommends: 1. **Rotate the secret immediately** — assume it's compromised 2. **Remove from code** — use environment variables or a secrets manager instead 3. **Add to .gitignore** — prevent `.env` and credential files from being committed 4. **Use git-filter-repo** — to remove secrets from git history 5. **Enable pre-commit hooks** — to catch secrets before they're committed ## Requirements - Python 3.7+ - No additional dependencies (uses Python standard library) ## Entry Point - **CLI:** `secret_scanner.py` ## Tags #security #secrets #credentials #api-keys #tokens #passwords #scanner #audit #pre-commit #leak-detection #cloud #aws #azure #gcp #devops