RepoBird Logo
Back to Templates
4.4 (7)

Secret Scanner

Scan for hardcoded secrets, API keys, passwords, and sensitive credentials in code and configuration files.

security
Official
Featured
by RepoBird
Updated 10/18/2025
71 executions
Template Instructions
These instructions will be passed to the AI agent when executing this template

Scan ACTUAL codebase for exposed secrets and credentials:

  1. Search for common secret patterns using Grep:

    • API Keys: Grep -i '(api_key|apikey|api_secret).*=.*["'][a-zA-Z0-9]{20,}'
    • AWS Credentials: Grep 'AKIA[0-9A-Z]{16}'
    • Stripe Keys: Grep '(sk_live|pk_live|sk_test|pk_test)_[a-zA-Z0-9]{24,}'
    • GitHub Tokens: Grep 'gh[pousr]_[a-zA-Z0-9]{36,}'
    • JWT Tokens: Grep 'eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.'
    • Passwords: Grep -i 'password.*=.*["'][^"']{8,}'
    • Private Keys: Grep 'BEGIN (RSA |)PRIVATE KEY'
    • Database URLs: Grep '(mysql|postgres|mongodb):\/\/.*:.*@'
    • OAuth Secrets: Grep -i 'client_secret.*=.*["'][a-zA-Z0-9]{20,}'

  2. Check configuration files:

    • Search for committed .env files: find . -name ".env" -type f
    • Check if .env is in .gitignore: grep "\.env" .gitignore
    • Search config files: find . -path "*/config/*" -type f \( -name "*.js" -o -name "*.ts" -o -name "*.json" -o -name "*.yml" -o -name "*.yaml" \)
    • Check Docker files: Grep -i '(password|secret|key)' **/Dockerfile
    • Review CI/CD configs for exposed secrets

  3. Use automated tools:

    • Run: npx secretlint '**/*' (if installed)
    • Run: git secrets --scan (if installed)
    • Check git history: git log -S "password" --all

  4. Create detailed report:

    • Generate SECRET_SCAN_REPORT.md in /docs directory
    • For each secret found:
      • File path and line number
      • Secret type (API key, password, etc.)
      • Severity level (Critical if active, High if example)
      • Recommended fix

  5. Implement fixes:

    • Move secrets to environment variables
    • Create .env.example with placeholder values
    • Update .gitignore to include .env, .env.local, secrets/
    • Add pre-commit hook to prevent secret commits
    • Suggest secret management (Vault, AWS Secrets Manager)
    • Rotate any exposed secrets

IMPORTANT: Scan REAL codebase for actual secrets, not create demonstrations. If secrets are found, report them immediately but DO NOT include actual secret values in reports.

Success Criteria

  • All hardcoded secrets found using Grep patterns and tools
  • SECRET_SCAN_REPORT.md generated with findings
  • .gitignore updated to prevent future commits
  • .env.example created with safe placeholder values
  • Pre-commit hooks configured to prevent secret commits
  • Git history reviewed for historical leaks

Completion Checklist

  • Search for secrets using Grep patterns and automated tools
  • Document all secret locations in SECRET_SCAN_REPORT.md
  • Move secrets to environment variables
  • Update .gitignore and create .env.example
  • Add pre-commit hooks for secret detection
  • Verify no secrets remain in codebase
Tags
security
secrets
credentials
scanning
Supported Languages
Any Language