Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
Installation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
license
CC-BY-4.0
Secrets Scan
Detect hardcoded secrets by following the full procedure in plays/secrets-scan.md.
Steps
Run Automated Scanner — Use available tools in preference order:
Contextual Analysis — For each detection: Is it real (not a placeholder/test fixture)? Is it active? What's the blast radius (service, permissions, prod vs dev, exposure duration)?
Check Preventive Controls — Verify: .gitignore covers sensitive files, pre-commit hooks for secret scanning, CI pipeline scanning, secrets management documentation.
Important: Never include actual secret values in findings. Show redacted versions only (e.g., AKIA****EXAMPLE). Active production secrets require immediate rotation.
Output
Scan summary, findings using templates/finding.md, preventive controls checklist, and immediate rotation actions if needed.
OWASP References
A07:2021: Identification and Authentication Failures
CWE-798: Use of Hard-coded Credentials
CWE-312: Cleartext Storage of Sensitive Information