Scan the codebase for leaked secrets, API keys, tokens, and credentials.
- Define patterns to search for:
- AWS keys:
AKIA[0-9A-Z]{16},aws_secret_access_key. - API keys:
sk-[a-zA-Z0-9]{32,},api[_-]?key\s*[:=]. - Tokens:
ghp_,gho_,github_pat_,xoxb-,xoxp-. - Private keys:
-----BEGIN (RSA|EC|OPENSSH) PRIVATE KEY-----. - Database URLs:
(postgres|mysql|mongodb)://[^:]+:[^@]+@. - Generic secrets:
password\s*[:=]\s*["'][^"']+["'],secret\s*[:=].
- AWS keys:
- Scan all tracked files:
git ls-files(skip binary files). - Also scan
.envfiles that may not be tracked. - Exclude known false positives (test fixtures, documentation examples,
.env.example). - For each finding, determine severity:
- CRITICAL: Real credentials with high entropy that appear functional.
- WARNING: Patterns that look like secrets but may be placeholders.
- INFO: References to secret names without values.
- Check if
.gitignoreproperly excludes sensitive files (.env,*.pem,*.key). - Suggest remediation for each finding.
Secrets Scan Results
====================
CRITICAL (immediate action required):
- <file>:<line> - <type>: <masked-value>
WARNING (review needed):
- <file>:<line> - <type>: <description>
.gitignore check:
- [ ] .env files excluded
- [ ] Key files excluded
Remediation:
1. Rotate <credential type>
2. Add <pattern> to .gitignore
- Never print full secret values; mask all but the first 4 characters.
- Scan both tracked and untracked files.
- Check git history for secrets in past commits using
git log -p --all -S. - Suggest
.gitignoreadditions for any unprotected secret file patterns. - Recommend using environment variables or secret managers for all findings.