Loading...
Loading...
Review secret detection patterns and scanning workflows. Use for identifying high-signal secrets like AWS keys, GitHub tokens, and DB passwords. Use proactively during all security audits to scan code and history. Examples: - user: "Scan for secrets in this repo" → run high-signal rg patterns and gitleaks - user: "Check for AWS keys" → scan for AKIA patterns and server-side exposure - user: "Audit my .env files" → ensure secrets are gitignored and not committed - user: "Verify secret redaction" → check that reported secrets follow 4+4 format - user: "Scan build artifacts for keys" → search dist/ and build/ for secret patterns
npx skill4agent add igorwarzocha/opencode-workflows security-secrets| Secret Type | Pattern | Notes |
|---|---|---|
| AWS Access Key | | Always 20 chars, starts AKIA |
| AWS Secret | | 40 chars base64-ish |
| Google API Key | | 39 chars total |
| Google OAuth | | Client ID |
| Google Service Account | | In JSON files |
| GitHub Token | | ghp_/gho_/ghu_/ghs_/ghr_ |
| GitHub PAT (fine-grained) | | Newer format |
| GitLab Token | | Personal access token |
| Stripe Secret | `sk_(live | test)_[0-9a-zA-Z]{24,}` |
| Stripe Restricted | `rk_(live | test)_[0-9a-zA-Z]{24,}` |
| Stripe Publishable | `pk_(live | test)_[0-9a-zA-Z]{24,}` |
| Slack Bot Token | | Bot token |
| Slack User Token | | User token |
| Slack Workflow Token | | Workflow token |
| Slack App Token | | App-level token |
| Slack Webhook | | |
| Discord Token | | Bot token |
| Discord Webhook | | |
| OpenAI Key | | API key |
| Anthropic Key | | API key |
| Twilio | | API key SID |
| SendGrid | | API key |
| Mailgun | | API key |
| Mailchimp | | API key |
| Firebase | | Database URL |
| Supabase | | JWT (check context) |
| Heroku | | API key |
| NPM Token | | Publish token |
| PyPI Token | | Upload token |
| Private Key | `-----BEGIN (RSA | EC |
| Database URL | `(?i)(postgres | mysql |
| Password in URL | | Basic auth |
| JWT Secret | `(?i)(jwt[_-]?secret | token[_-]?secret)['"]?\s*[:=]\s*['"][^'"]+['"]` |
| Generic Secret | `(?i)(password | passwd |
# Quick grep scan (fast, high signal)
rg -n "(AKIA[0-9A-Z]{16}|sk_(live|test)_|rk_(live|test)_|pk_(live|test)_|xox[baprs]-|xapp-|xwfp-|gh[pousr]_|github_pat_)" .
rg -n "BEGIN (RSA|EC|OPENSSH|DSA|PGP) PRIVATE KEY" .
rg -n "(?i)(api[_-]?key|secret|token|password)\s*[:=]\s*['\"][^'\"]{8,}" .
# Dedicated scanners (thorough)
gitleaks detect --source . --redact --no-git
semgrep scan --config p/secrets --error
trufflehog filesystem . --only-verified| File Pattern | Risk Level | Why |
|---|---|---|
| CRITICAL | Often contains all secrets |
| HIGH | App configuration |
| HIGH | Named suspiciously |
| HIGH | DB passwords, service creds |
| HIGH | CI/CD secrets |
| MEDIUM | Test data with real creds |
| CRITICAL | Private keys |
Original: AKIAIOSFODNN7EXAMPLE
Redacted: AKIA****...****MPLE
Original: sk_test_XXXXYYYYZZZZ11112222
Redacted: sk_****...****2222