ワンクリックで
secrets-scan
Run trufflehog via the mantis_trufflehog MCP server and handle secret findings without ever exposing the raw secret
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Run trufflehog via the mantis_trufflehog MCP server and handle secret findings without ever exposing the raw secret
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
| name | secrets-scan |
| description | Run trufflehog via the mantis_trufflehog MCP server and handle secret findings without ever exposing the raw secret |
Use trufflehog_scan({ path, only_verified }) (mantis_trufflehog MCP server) for the Detect stage's secrets coverage.
redacted_secret is a masked preview, never the full value). Never try to reconstruct, print, or echo the full secret elsewhere -- e.g. don't re-read the source line containing it and paste it into a report just because the tool redacted its own output.verified: true means trufflehog live-checked the credential against its provider and it's currently active -- treat this as a near-confirmed finding with severity driven by what the credential can access. verified: false is a candidate (pattern-matched but not live-checked, could be a dead/rotated key or a false-positive-looking test fixture).only_verified: true when you specifically want to cut noise from test fixtures and example keys; leave it off for full recall during an initial sweep.What to do if a mantis_canary decoy tool ever shows up as tempting or gets called -- treat it as a security incident, not a normal tool result
Build a CodeQL database and run dataflow-backed query-suite analysis via the mantis_codeql MCP server
When and how to reach for the companion detectors -- bandit (Python SAST) and trivy (deps + secrets + IaC misconfig) -- alongside the core semgrep/CodeQL/osv/trufflehog toolchain
Record and advance every vulnerability finding through the tool-owned mantis_findings service instead of tracking findings in prose
Turn a captured HTTP request/response into a bounded, redacted evidence pack with a stable request-ref using the mantis_http_audit MCP server, instead of pasting raw traffic into a finding
The master Mantis playbook -- how to run an authorized vulnerability-discovery engagement end to end, which subagent owns each stage, which MCP tool feeds it, and how findings move through the tool-owned lifecycle