Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
Instalação
Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.
Detect hardcoded credentials, API keys, tokens, and secrets in source code and configuration files. Use when reviewing code for leaked secrets before commit/merge, auditing a repository for credential exposure, or setting up secret detection.
license
CC-BY-4.0
Secrets Scan
Detect hardcoded secrets by following the full procedure in plays/secrets-scan.md.
Steps
Run Automated Scanner — Use available tools in preference order:
Contextual Analysis — For each detection: Is it real (not a placeholder/test fixture)? Is it active? What's the blast radius (service, permissions, prod vs dev, exposure duration)?
Check Preventive Controls — Verify: .gitignore covers sensitive files, pre-commit hooks for secret scanning, CI pipeline scanning, secrets management documentation.
Important: Never include actual secret values in findings. Show redacted versions only (e.g., AKIA****EXAMPLE). Active production secrets require immediate rotation.
Output
Scan summary, findings using templates/finding.md, preventive controls checklist, and immediate rotation actions if needed.
OWASP References
A07:2021: Identification and Authentication Failures
CWE-798: Use of Hard-coded Credentials
CWE-312: Cleartext Storage of Sensitive Information