Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
Instalación
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
license
CC-BY-4.0
Secrets Scan
Detect hardcoded secrets by following the full procedure in plays/secrets-scan.md.
Steps
Run Automated Scanner — Use available tools in preference order:
Contextual Analysis — For each detection: Is it real (not a placeholder/test fixture)? Is it active? What's the blast radius (service, permissions, prod vs dev, exposure duration)?
Check Preventive Controls — Verify: .gitignore covers sensitive files, pre-commit hooks for secret scanning, CI pipeline scanning, secrets management documentation.
Important: Never include actual secret values in findings. Show redacted versions only (e.g., AKIA****EXAMPLE). Active production secrets require immediate rotation.
Output
Scan summary, findings using templates/finding.md, preventive controls checklist, and immediate rotation actions if needed.
OWASP References
A07:2021: Identification and Authentication Failures
CWE-798: Use of Hard-coded Credentials
CWE-312: Cleartext Storage of Sensitive Information