secrets-scanlisted

# /secrets-scan Workflow ## Role This skill is a **pipeline coordinator**. It orchestrates a sequential secrets detection workflow using pattern-based scanning. It delegates grep/regex scanning to Bash and synthesis to analysis tasks. It does NOT require external tools like trufflehog or gitleaks — all scanning uses built-in grep patterns, making it self-contained and deployable anywhere Claude Code runs. **Zero tolerance policy:** Any confirmed secret detected results in a BLOCKED verdict. There is no passing threshold — secrets in code are a critical finding. **Report redaction rule:** This skill NEVER includes actual secret values in reports. Reports show secret type, file path, and line number only. Pattern matches are redacted to show type and location: e.g., "AWS Access Key at `src/config.js:42`". ## Inputs - Scan scope: $ARGUMENTS - `staged` (default) — scan git staged files only (pre-commit gate) - `all` — scan entire working directory - `history` — scan git commit history (use for post-incident review) ## Step 0 — Pre-flight checks Tool: `Bash` (direct — coordinator does this) ```bash TIMESTAMP=$(date -u +"%Y%m%dT%H%M%SZ") echo "Secrets scan run: $TIMESTAMP" # Verify we are in a git repository if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then echo "ERROR: Not inside a git repository. /secrets-scan requires git." exit 1 fi # Determine scope from arguments SCOPE="${1:-staged}" if [ "$SCOPE" != "staged" ] && [ "$SCOPE" != "all" ] && [ "