Finds leaked API keys, tokens, and credentials in your codebase and git history.
Secrets Scanner detects accidentally committed credentials across your entire repository, including historical commits. It catches API keys (AWS, GCP, Stripe, Twilio, SendGrid), database connection strings, JWT signing secrets, private keys, and OAuth tokens using a combination of regex patterns and Shannon entropy analysis.
The skill differentiates between real secrets and false positives by analyzing context. Test fixtures, example configs, documentation placeholders, and environment variable references are recognized and excluded. This keeps the signal-to-noise ratio high — when the skill flags something, it's almost certainly a real leak.
When a secret is found, the report includes the file path, line number, commit SHA where it was introduced, the secret type, and step-by-step remediation instructions: how to rotate the credential, how to purge it from git history using `git filter-repo`, and how to add a pre-commit hook to prevent future leaks. Requires `git` on PATH.