secret-scannerlisted

Scan a codebase for hardcoded secrets — API keys, tokens, private keys and passwords — using a custom regex + Shannon-entropy engine. Use when the user asks to "find secrets", "check for leaked credentials", "scan for API keys", do a pre-commit secret check, or audit a repo before making it public.
NovaCode37/claude-security-skills · ★ 8 · AI & Automation · score 74

Install: claude install-skill NovaCode37/claude-security-skills

# Secret Scanner A dependency-free engine that finds committed credentials by combining **high-signal vendor regex rules** (AWS, GitHub, GCP, Stripe, OpenAI, Anthropic, Slack, …) with **Shannon-entropy gating** to catch generic secrets while keeping false positives low. ## When to use this skill - "Are there any secrets / API keys committed in this repo?" - "Scan this folder before I open-source it." - Pre-commit / pre-push credential checks. - Investigating a suspected leak. ## How to run it The engine has **no third-party dependencies** — just Python 3.9+. ```bash # Human-readable report (default) python skills/secret-scanner/engine.py . # Machine-readable JSON (pipe into other tooling) python skills/secret-scanner/engine.py . --json # Tune entropy sensitivity (lower = more findings) python skills/secret-scanner/engine.py src/ --min-entropy 3.0 # Include test directories (skipped by default) python skills/secret-scanner/engine.py . --include-tests ``` **Exit codes:** `0` clean · `1` findings present · `2` usage error. This makes it drop-in for CI: a non-zero exit fails the build. ## How to interpret results Each finding reports `severity`, `rule_id`, `path:line:column`, a **redacted** preview of the value (never the full secret), and the measured entropy. Severity guide: - **critical** — live credential material (private keys, cloud secret keys, provider tokens). Rotate immediately. - **high** — access key IDs, third-party API keys. - **medium** — generic `pa