scanning-for-secrets
关于
This skill scans your codebase for exposed secrets like API keys and passwords using pattern matching and entropy analysis. It helps developers proactively identify and remediate security vulnerabilities before code is committed or deployed. Use it by triggering phrases like "scan for secrets" or "check for exposed credentials".
快速安装
Claude Code
推荐/plugin add https://github.com/jeremylongshore/claude-code-plugins-plusgit clone https://github.com/jeremylongshore/claude-code-plugins-plus.git ~/.claude/skills/scanning-for-secrets在 Claude Code 中复制并粘贴此命令以安装该技能
技能文档
Overview
This skill enables Claude to scan your codebase for exposed secrets, API keys, passwords, and other sensitive credentials. It helps you identify and remediate potential security vulnerabilities before they are committed or deployed.
How It Works
- Initiate Scan: Claude activates the
secret-scannerplugin. - Codebase Analysis: The plugin scans the codebase using pattern matching and entropy analysis.
- Report Generation: A detailed report is generated, highlighting identified secrets, their locations, and suggested remediation steps.
When to Use This Skill
This skill activates when you need to:
- Scan your codebase for exposed API keys (e.g., AWS, Google, Azure).
- Check for hardcoded passwords in configuration files.
- Identify potential private keys (SSH, PGP) accidentally committed to the repository.
- Proactively find secrets before committing changes.
Examples
Example 1: Identifying Exposed AWS Keys
User request: "Scan for AWS keys in the codebase"
The skill will:
- Activate the
secret-scannerplugin. - Scan the codebase for patterns matching AWS Access Keys (AKIA[0-9A-Z]{16}).
- Generate a report listing any found keys, their file locations, and remediation steps (e.g., revoking the key).
Example 2: Checking for Hardcoded Passwords
User request: "Check for exposed credentials in config files"
The skill will:
- Activate the
secret-scannerplugin. - Scan configuration files (e.g.,
database.yml,.env) for password patterns. - Generate a report detailing any found passwords and suggesting the use of environment variables.
Best Practices
- Regular Scanning: Schedule regular scans to catch newly introduced secrets.
- Pre-Commit Hooks: Integrate the
secret-scannerinto your pre-commit hooks to prevent committing secrets. - Review Entropy Analysis: Carefully review results from entropy analysis, as they may indicate potential secrets not caught by pattern matching.
Integration
This skill can be integrated with other security tools, such as vulnerability scanners, to provide a comprehensive security assessment of your codebase. It can also be combined with notification plugins to alert you when new secrets are detected.
GitHub 仓库
相关推荐技能
content-collections
元Content Collections 是一个 TypeScript 优先的构建工具,可将本地 Markdown/MDX 文件转换为类型安全的数据集合。它专为构建博客、文档站和内容密集型 Vite+React 应用而设计,提供基于 Zod 的自动模式验证。该工具涵盖从 Vite 插件配置、MDX 编译到生产环境部署的完整工作流。
creating-opencode-plugins
元该Skill为开发者创建OpenCode插件提供指导,涵盖命令、文件、LSP等25+种事件类型。它详细说明了插件结构、事件API规范及JavaScript/TypeScript实现模式,帮助开发者构建事件驱动的模块。适用于需要拦截操作、扩展功能或自定义AI助手行为的插件开发场景。
evaluating-llms-harness
测试该Skill通过60+个学术基准测试(如MMLU、GSM8K等)评估大语言模型质量,适用于模型对比、学术研究及训练进度追踪。它支持HuggingFace、vLLM和API接口,被EleutherAI等行业领先机构广泛采用。开发者可通过简单命令行快速对模型进行多任务批量评估。
langchain
元LangChain是一个用于构建LLM应用程序的框架,支持智能体、链和RAG应用开发。它提供多模型提供商支持、500+工具集成、记忆管理和向量检索等核心功能。开发者可用它快速构建聊天机器人、问答系统和自主代理,适用于从原型验证到生产部署的全流程。