check-secretslisted

# check-secrets Scan the codebase for potential secret leaks before commits. ## Trigger Examples - "Check for secrets" - "Scan for leaks" - "Security check" - "Are there any hardcoded secrets?" ## Execution Flow ### 1. Define Detection Patterns **High-risk patterns:** - API keys: `['\"]?[A-Z0-9_]{20,}['\"]?` - Bearer tokens: `Bearer\s+[A-Za-z0-9\-._~+/]+=*` - Private keys: `-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----` - OAuth secrets: `client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,}` - GCP service account keys: `"type":\s*"service_account"` - AWS credentials: `AKIA[0-9A-Z]{16}` **Project-specific patterns:** - Hardcoded project IDs: `koborin-ai` (outside of variable assignments or docs) - Email addresses: `@koborin\.ai` **Safe patterns (excluded):** - Environment variable references: `process.env.`, `$\{`, `TF_VAR_` - Placeholder values: `<PROJECT_ID>`, `YOUR_API_KEY`, `dummy`, `example` - Test fixtures: files under `__tests__/`, `*.test.ts`, `*.spec.ts` ### 2. Scan the Codebase Use `git ls-files` to get tracked files: ```bash git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \ grep -v -E '^(node_modules|\.next|dist|build|coverage)/' ``` ### 3. Filter False Positives Remove known safe occurrences: - Lines containing `process.env.` or `TF_VAR_` - Template files (`.env.example`, `.env.template`) - Lines with placeholder patterns (`<...>`, `YOUR_...`, `REPLACE_ME`) ### 4. Categorize Findings **Critical (immediate a