Scan for hardcoded secrets, API keys, and credential exposure (stack-agnostic)
Scans for hardcoded secrets, API keys, tokens, and passwords exposed in project source code.
If $ARGUMENTS is provided, scan only that path. Otherwise scan the entire project.
Always exclude build artifacts: node_modules/, target/, .next/, dist/, build/, vendor/.
.gitignore to check if .env* files are ignored. If not — Critical.git ls-files to find committed .env files. If git is unavailable, fallback to find . -name '.env*' -not -path '*/node_modules/*'..env files exist, read their contents to check for actual secret values (report masked).git log -p --all -S 'AKIA' -S 'sk_live' -S 'sk-ant' -S 'ghp_' --diff-filter=D -- '*.ts' '*.js' '*.py' '*.rs' | head -50 to check for deleted secrets in git history.Each pattern is a regex that can be directly used with the Grep tool. Multiple patterns are combined with | to reduce the number of searches.
Grep-ready regexes:
AKIA[0-9A-Z]{16}aws_secret_access_key\s*[:=]\s*["'][0-9a-zA-Z/+=]{40}["']ghp_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}gho_[a-zA-Z0-9]{36}AIza[0-9A-Za-z\-_]{35}GOCSPX-[a-zA-Z0-9_\-]{28}sk_live_[0-9a-zA-Z]{24,}|rk_live_[0-9a-zA-Z]{24,}sk-[a-zA-Z0-9]{48}|sk-proj-[a-zA-Z0-9\-_]{80,}sk-ant-[a-zA-Z0-9\-_]{80,}xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24}|xoxp-[0-9]{10,}-SG\.[a-zA-Z0-9_\-]{22}\.[a-zA-Z0-9_\-]{43}SK[0-9a-fA-F]{32}npm_[a-zA-Z0-9]{36}vercel_[a-zA-Z0-9]{24}-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----These patterns have false positive potential — report as Warning. Skip if the value is a placeholder (example, test, TODO, xxx, changeme).
(client_secret|auth_secret|jwt_secret|database_url|connection_string)\s*[:=]\s*["'][^"']{8,}["'](password|passwd|pwd)\s*[:=]\s*["'][^"']{8,}["'] (exclude masked patterns like password.*=.*["']\*+["'])(api[_-]?key|apikey)\s*[:=]\s*["'][a-zA-Z0-9_\-]{20,}["'] (ignore values under 20 chars to reduce false positives)(secret_?key|access_?token|auth_?token)\s*[:=]\s*["'][^"']{8,}["']Do not match token alone — too many non-secret contexts (CSRF token, pagination token, etc.).
NEXT_PUBLIC_ prefixed env vars containing SECRET, SERVICE_ROLE, PRIVATE, PASSWORD.env.local, .env.production, etc. not in .gitignoreprocess.env.SECRET_* referenced directly in client components ("use client")Check if tracked by git (git ls-files):
firebase-adminsdk*.jsoncredentials.json, service-account.json*.pem, *.key files.npmrc, .pypirc, .docker/config.json (package manager auth)*.tfstate (Terraform state — may contain plaintext secrets)docker-compose*.yml with hardcoded *_PASSWORD, *_SECRET values.github/workflows/*.yml, .gitlab-ci.yml, Jenkinsfile with secrets hardcoded in env: blocks${{ secrets.* }}secure-scan-ignore: comments are skipped (see CLAUDE.md)..secure-scan-ignore are skipped.*.test.*, *.spec.*, __tests__/, tests/) are downgraded to Info (not suppressed). However, production key patterns (sk_live_, AKIA) remain Critical even in test files.Follow the common output format in CLAUDE.md.
All discovered secret values MUST be masked (first 4 chars + **** + last 4 chars).