Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
설치
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
license
CC-BY-4.0
Secrets Scan
Detect hardcoded secrets by following the full procedure in plays/secrets-scan.md.
Steps
Run Automated Scanner — Use available tools in preference order:
Contextual Analysis — For each detection: Is it real (not a placeholder/test fixture)? Is it active? What's the blast radius (service, permissions, prod vs dev, exposure duration)?
Check Preventive Controls — Verify: .gitignore covers sensitive files, pre-commit hooks for secret scanning, CI pipeline scanning, secrets management documentation.
Important: Never include actual secret values in findings. Show redacted versions only (e.g., AKIA****EXAMPLE). Active production secrets require immediate rotation.
Output
Scan summary, findings using templates/finding.md, preventive controls checklist, and immediate rotation actions if needed.
OWASP References
A07:2021: Identification and Authentication Failures
CWE-798: Use of Hard-coded Credentials
CWE-312: Cleartext Storage of Sensitive Information