scan-secrets

# Scan Secrets

Run security scan to detect sensitive data before publishing.

## Usage

```
/scan-secrets                           # Scan all skills in repository
/scan-secrets <skill-name>              # Scan specific skill
/scan-secrets --local                   # Scan local skills (~/.claude/skills/)
/scan-secrets --directory <path>        # Scan any directory
```

## What It Detects

### Critical (blocks commit/push)

| Pattern | Example |
|---------|---------|
| OpenAI API keys | `sk-abc123...` |
| Anthropic API keys | `sk-ant-...` |
| Google API keys | `AIza...` |
| GitHub tokens | `ghp_...`, `gho_...` |
| AWS credentials | `AKIA...`, `aws_secret_access_key` |
| Private keys | `-----BEGIN PRIVATE KEY-----` |

### High (blocks commit/push)

| Pattern | Example |
|---------|---------|
| Generic API keys | `api_key = "..."` |
| Access tokens | `access_token = "..."` |
| Passwords | `password = "secret"` |
| URLs with credentials | `https://user:pass@host` |
| Database connection strings | `postgres://user:pass@host` |

### Medium (warning)

| Pattern | Example |
|---------|---------|
| Personal paths | `/Users/&lt;username&gt;/...` |
| Base64 encoded secrets | Long base64 strings in secret context |
| Environment variable patterns | `MY_SECRET_KEY = "..."` |

### Low (informational)

| Pattern | Example |
|---------|---------|
| Internal IP addresses | `192.168.x.x`, `10.x.x.x` |

## Workflow

### 1. Select Target

Determine what to scan:
- All repository skills
- Specific skill by name
- Local skills directory
- Custom directory path

### 2. Run Scanner

```bash
python3 ~/Personal/GithubSkills/scripts/scan_secrets.py --directory <target>
```

### 3. Review Results

If issues found:
- Show each finding with file, line number, and pattern
- Group by severity (Critical, High, Medium, Low)
- Provide remediation suggestions

### 4. Remediation Guidance

For each finding type:

| Finding | Remediation |
|---------|-------------|
| API key | Move to environment varia