check-secrets

📁 nozomi-koborinai/koborin-ai 📅 8 days ago

总安装量

周安装量

#55863

全站排名

安装命令

npx skills add https://github.com/nozomi-koborinai/koborin-ai --skill check-secrets

Agent 安装分布

opencode 3

gemini-cli 3

claude-code 3

github-copilot 3

codex 3

kimi-cli 3

Skill 文档

check-secrets

Scan the codebase for potential secret leaks before commits.

Trigger Examples

“Check for secrets”
“Scan for leaks”
“Security check”
“Are there any hardcoded secrets?”

Execution Flow

1. Define Detection Patterns

High-risk patterns:

API keys: ['\"]?[A-Z0-9_]{20,}['\"]?
Bearer tokens: Bearer\s+[A-Za-z0-9\-._~+/]+=*
Private keys: -----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----
OAuth secrets: client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,}
GCP service account keys: "type":\s*"service_account"
AWS credentials: AKIA[0-9A-Z]{16}

Project-specific patterns:

Hardcoded project IDs: koborin-ai (outside of variable assignments or docs)
Email addresses: @koborin\.ai

Safe patterns (excluded):

Environment variable references: process.env., $\{, TF_VAR_
Placeholder values: <PROJECT_ID>, YOUR_API_KEY, dummy, example
Test fixtures: files under __tests__/, *.test.ts, *.spec.ts

2. Scan the Codebase

Use git ls-files to get tracked files:

git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \
  grep -v -E '^(node_modules|\.next|dist|build|coverage)/'

3. Filter False Positives

Remove known safe occurrences:

Lines containing process.env. or TF_VAR_
Template files (.env.example, .env.template)
Lines with placeholder patterns (<...>, YOUR_..., REPLACE_ME)

4. Categorize Findings

Critical (immediate action required):

Private keys, service account JSON
Hardcoded passwords or tokens
Real API keys with valid format

Warning (review recommended):

Suspicious long strings that might be keys
Hardcoded project IDs outside infrastructure code

Info (low risk):

Company name in unexpected places
Domain references in application code

5. Display Results

CRITICAL: Potential private key detected
  File: infra/shared/main.tf
  Line: 42
  Match: -----BEGIN PRIVATE KEY-----

WARNING: Hardcoded project ID
  File: app/src/lib/api-client.ts
  Line: 15
  Match: const PROJECT = "koborin-ai"

Summary:
- Critical: 1 finding(s)
- Warning: 1 finding(s)

Review these findings before committing.

Project-Specific Rules

For koborin-ai:

Allow koborin-ai in infra/ and README.md
Flag it in app/src/ unless from environment variable
Allow email addresses in documentation
Flag GCP project IDs when hardcoded outside Pulumi config

Notes

This is static analysis only; cannot detect runtime-loaded secrets
Always review findings manually
Run before every commit
Never commit real secrets even if undetected

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台