tenet-secretslisted

# Tenet Secrets > Detects hardcoded secrets, committed credential files, and weak secret generation patterns across the codebase and git history. ## Purpose This skill scans for hardcoded secrets that should never appear in version control. It combines deterministic toolchain output (gitleaks, trufflehog, trivy) with targeted regex scanning for common secret formats. The cardinal rule: **any hardcoded production-looking secret is ALWAYS critical severity** regardless of context. ## Language Support Matrix ```yaml support: native: [all] note: "Secrets can appear in any text file. This skill scans all committed files regardless of language." ``` ## Toolchain Inputs | File | Required | Notes | |---|---|---| | `.healthcheck/toolchain/gitleaks.json` | **Yes** (fail if missing) | Primary signal — most comprehensive secret detection | | `.healthcheck/toolchain/trufflehog.json` | No (secondary signal) | Complements gitleaks with entropy-based detection | | `.healthcheck/toolchain/trivy.json` | No (secondary signal) | Catches secrets in container images and IaC | | `.healthcheck/toolchain/language-census.json` | Yes | Determines repo scope | **If `gitleaks.json` is missing, the skill MUST fail with an actionable error:** ``` ERROR: gitleaks.json not found at .healthcheck/toolchain/gitleaks.json gitleaks is a required tool for the secrets dimension. Run the toolchain first: /tenet-skills:tenet-toolchain If gitleaks is not installed: brew install gitleaks (macOS) or see htt