ln-761-secret-scanner

> **Paths:** File paths (`shared/`, `references/`, `../ln-*`) are relative to skills repo root. If not found at CWD, locate this SKILL.md directory and go up one level for repo root. If `shared/` is missing, fetch files via WebFetch from `https://raw.githubusercontent.com/levnikolaevich/claude-code-skills/master/skills/{path}`. # Secret Scanner **Type:** L3 Worker **Category:** 7XX Bootstrap Scans codebase for hardcoded secrets and credentials, returning structured findings for remediation. ## Purpose & Scope - Detect hardcoded secrets using available tools (gitleaks, trufflehog) or manual patterns - Classify findings by severity (Critical/High/Medium/Low) - Filter false positives via baseline and allowlists - Provide remediation guidance per finding type - Return normalized report to parent orchestrator (ln-760) ## When to Use - During project bootstrap (via ln-760-security-setup) - Pre-commit hook validation - CI/CD security pipeline - Manual security audit --- ## Workflow ### Phase 1: Tool Detection **Step 1: Check Available Scanners** - Check if gitleaks is installed (preferred) - Check if trufflehog is installed (alternative) - If neither available: use manual pattern matching as fallback **Step 2: Load Configuration** - Load project `.gitleaks.toml` if exists (custom rules) - Load `.gitleaksbaseline` if exists (known false positives) - If no config: use default patterns from `references/detection_patterns.md` ### Phase 2: Scan Execution **Step 1: Run Avail...