Menu
Use when the user asks to "scan for secrets", "detect credentials", "sanitize sensitive data", "check for exposed passwords", "run security gate G0", or mentions secret detection, credential scanning, security gate G0, sensitive data masking, API key exposure, token detection.
Redacta agradecimientos post-proceso diferenciados por persona, evidencia de interaccion, voz de marca y lint offline contra FOMO, hustle, servilismo y promesas no verificables.
Optimiza CV y carta de presentacion para ATS, rol objetivo y voz de marca con lint offline de keywords, secciones, longitud, contacto y tono.
Cosecha aprendizajes, valida evidencia y produce un cierre de conversacion reproducible con handoff, riesgos y plan de actualizaciones durables.
Orchestrates JM-ADK Alfa repository maintenance in fixed safety phases: bootstrap, repo sync audit, local state preservation, isolated branch planning, selective import or consolidation planning, cleanup planning, validation gates, and closeout blockers.
Validates plugin directory layout against the official Claude Code plugin spec. Triggers: validate structure, check layout, directory audit, plugin skeleton check.
Validates frontmatter and body structure of all skills, agents, and commands in a plugin. Triggers: validate components, check frontmatter, component audit, skill validation.
| name | secrets-sanitization |
| version | 1.0.0 |
| description | Use when the user asks to "scan for secrets", "detect credentials", "sanitize sensitive data", "check for exposed passwords", "run security gate G0", or mentions secret detection, credential scanning, security gate G0, sensitive data masking, API key exposure, token detection. |
| allowed-tools | ["Read","Glob","Grep","Bash"] |
TL;DR: Scans project artifacts for exposed credentials, API keys, passwords, tokens, and sensitive data. Implements Gate G0: no pipeline execution proceeds with unmasked secrets. Detects patterns across configuration files, documents, and code artifacts, then masks or flags findings for remediation.
assets/secrets-report-contract.json defines the G0 report shape.assets/token-pattern-policy.json defines token-like patterns that must be masked.assets/g0-block-policy.json defines hard-stop behavior for unmasked secrets.scripts/validate_secrets_sanitization_report.py validates reports offline.scripts/check.sh runs positive and negative fixtures.Fail closed when a report claims pass while a critical finding is unresolved, a token-like value is unmasked, or evidence is missing. [EXPLICIT]
Un solo secreto expuesto puede comprometer todo el proyecto. Gate G0 es un hard stop: si se detectan credenciales sin enmascarar en cualquier artefacto del proyecto, el pipeline se detiene hasta que se remedien. La seguridad no es una fase — es una precondición. [EXPLICIT]
# Full secrets scan of project workspace
/pm:secrets-sanitization $ARGUMENTS="--path /project/workspace"
# Scan specific file types only
/pm:secrets-sanitization --type targeted --glob "**/*.{md,yaml,json,env}"
# Remediation verification after masking
/pm:secrets-sanitization --type verify --baseline scan-report-v1.md
Parameters:
| Parameter | Required | Description |
|---|---|---|
$ARGUMENTS | Yes | Path to project workspace |
--type | No | full (default), targeted, verify |
--glob | No | File pattern to scan |
--baseline | No | Previous scan report for verification |
--severity | No | Minimum severity to report: critical, high, medium |
{TIPO_PROYECTO} variants:
**/*.{env,yaml,yml,json,conf,cfg,properties} to identify configuration files [PLAN]**/*.{md,txt,doc} to identify documentation files that may contain credentials [PLAN]AKIA, sk-, ghp_, Bearer) as initial indicators [PLAN]git log scan or BFG Repo-Cleaner for historical secrets [SUPUESTO]. [EXPLICIT]Good example — Thorough G0 scan:
| Attribute | Value |
|---|---|
| Files scanned | 342 files across 12 file types |
| Findings | 3 findings: 1 Critical, 1 High, 1 Medium |
| False positive rate | 2 false positives identified and filtered |
| Remediation | Specific steps per finding with owner assigned |
| Gate decision | FAIL — Critical finding requires remediation before proceed |
| Report | Findings described without exposing actual secrets |
Bad example — Superficial scan:
Scan of only .env files, ignoring documentation, YAML, and JSON. No severity classification, no context analysis. A narrow scan gives false confidence — secrets hide in unexpected places (README examples, CI configs, integration docs). [EXPLICIT]
| Resource | When to Read | Location |
|---|---|---|
| Body of Knowledge | Secret detection patterns and tools | references/body-of-knowledge.md |
| State of the Art | Modern secrets management practices | references/state-of-the-art.md |
| Knowledge Graph | G0 gate in pipeline security | references/knowledge-graph.mmd |
| Use Case Prompts | Secret scanning scenarios | prompts/use-case-prompts.md |
| Metaprompts | Custom detection pattern design | prompts/metaprompts.md |
| Sample Output | Reference G0 scan report | examples/sample-output.md |