원클릭으로
check-no-secrets
Scans codebase for accidentally committed secrets, credentials, API keys, and sensitive data to prevent security breaches
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Scans codebase for accidentally committed secrets, credentials, API keys, and sensitive data to prevent security breaches
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | check-no-secrets |
| description | Scans codebase for accidentally committed secrets, credentials, API keys, and sensitive data to prevent security breaches |
| user-invocable | true |
Scans codebase for accidentally committed secrets, credentials, API keys, and sensitive data. Prevents catastrophic security breaches.
Run this skill:
rg)# Run automated secret detection
./scripts/ci/validate-no-secrets.sh
# 1. Check for API keys
echo "🔑 Checking for API keys..."
rg -i "api[_-]?key.*=.*['\"][a-zA-Z0-9]{20,}" src/ --type rust -n
# 2. Check for passwords
echo "🔒 Checking for hardcoded passwords..."
rg -i "password.*=.*['\"][^'\"]{8,}" src/ --type rust -n | grep -v "example"
# 3. Check for tokens
echo "🎫 Checking for access tokens..."
rg -i "token.*=.*['\"][a-zA-Z0-9]{40,}" src/ --type rust -n
# 4. Check for database URLs
echo "🗄️ Checking for database URLs..."
rg "postgres://|mysql://|mongodb://" src/ --type rust -n
# 5. Check for OAuth secrets
echo "🔐 Checking for OAuth client secrets..."
rg "client_secret.*=.*['\"]" src/ --type rust -n | grep -v "env\|config"
# 6. Check for encryption keys
echo "🔓 Checking for hardcoded encryption keys..."
rg "const.*KEY.*=.*['\"][A-Za-z0-9+/=]{32,}" src/ --type rust -n
# 7. Check for AWS credentials
echo "☁️ Checking for AWS credentials..."
rg "AKIA[0-9A-Z]{16}" . -n
# 8. Check for private keys
echo "🗝️ Checking for private keys..."
rg "BEGIN.*PRIVATE.*KEY|BEGIN RSA PRIVATE KEY" . -n
# Check .env is not tracked
echo "📋 Checking .env files..."
git ls-files | rg "\.env$" && \
echo "❌ .env file tracked in git!" || \
echo "✓ No .env in git"
# Verify .env in .gitignore
grep -q "^\.env$" .gitignore && \
echo "✓ .env in .gitignore" || \
echo "⚠️ Add .env to .gitignore"
# Check for committed .env files
find . -name ".env" -type f | while read env_file; do
if git ls-files --error-unmatch "$env_file" 2>/dev/null; then
echo "❌ ALERT: $env_file is tracked in git!"
fi
done
// ❌ FORBIDDEN
const API_KEY: &str = "sk_live_51H9xK2...";
let api_key = "pk_test_abc123...";
// ✅ CORRECT
let api_key = env::var("API_KEY")
.map_err(|_| ConfigError::MissingApiKey)?;
// ❌ FORBIDDEN
let client_secret = "your-client-secret-here";
// ✅ CORRECT
let client_secret = env::var("STRAVA_CLIENT_SECRET")
.map_err(|_| ConfigError::MissingStravaSecret)?;
// ❌ FORBIDDEN
const DATABASE_URL: &str = "postgres://user:password@localhost/db";
// ✅ CORRECT
let database_url = env::var("DATABASE_URL")
.map_err(|_| ConfigError::MissingDatabaseUrl)?;
# Check for secrets/tokens logged without redaction
echo "📋 Checking log statements for leaked secrets..."
# Look for access_token, refresh_token, api_key, password logged directly
rg "(info!|warn!|error!|debug!|trace!)\(.*\{.*(access_token|refresh_token|api_key|password|client_secret|authorization)" src/ --type rust -n | \
rg -v "redact|REDACTED|\\*\\*\\*|mask" && \
echo "❌ SECURITY: Secrets in log statements without redaction!" || \
echo "✓ No unredacted secrets in log statements"
# Check for PII in INFO+ level logs (should be DEBUG only)
echo "📋 Checking PII in log levels..."
rg "(info!|warn!|error!)\(.*\{.*(email|ip_address|user_agent)" src/ --type rust -n | \
rg -v "redact|REDACTED|mask" && \
echo "⚠️ PII in INFO+ logs (should be DEBUG or redacted)" || \
echo "✓ PII properly handled in log levels"
# Verify redaction middleware is active
rg "redact|sanitize.*log|PiiRedact" src/ --type rust -n | wc -l
echo "Redaction function references (should be >0)"
scripts/ci/validate-no-secrets.sh - Secret detection script.gitignore - Excludes .env and sensitive files.env.example - Template for environment variablesbook/src/configuration.md - Configuration documentationvalidate-architecture - Architectural validationstrict-clippy-check - Code qualityUse when designing prompts for LLMs, optimizing model performance, building evaluation frameworks, or implementing advanced prompting techniques like chain-of-thought, few-shot learning, or structured outputs.
How to deploy Dravr infrastructure and apply Cloud Run config changes. Use when editing infra/ terraform, when a merged code change is live but a Cloud Run setting (cpu, memory, min/max instances, env var, scaling) hasn't taken effect, or when asked to plan/apply infra. Explains the two-pipeline model (app binary auto-deploys on push; terraform infra config is a separate manual apply) plus the cpu/cpu_idle guardrails.
Enforces zero-tolerance code quality policy using Clippy with strict lints, all warnings treated as errors
Write well-formatted notes to the dravr-vault Obsidian knowledge base. Use this skill whenever creating or updating an ADR, runbook, plan, API doc, guide, session output, or any structured document that should land in the vault — even when the user doesn't say "Obsidian" explicitly. Delegates to obsidian:obsidian-cli to write to the live vault and applies Dravr frontmatter and formatting standards.
Bootstrap Pierre server with database, admin user, coaches, and test users for development and testing
Validates coach markdown files for required frontmatter fields, sections, and naming conventions