Use when committing code, reviewing changes, or auditing repositories for leaked secrets, tokens, API keys, passwords, or sensitive configuration files
Systematic scan for secrets, tokens, and sensitive data before committing or auditing code. Prevents credential leaks that could compromise services.
Do NOT use for:
npm audit, pip audit, etc.)| Target | Pattern | Examples |
|---|---|---|
| Tokens | Hex strings, JWT-like patterns | 8cc4debcd5379d5e453ff40da0835c56d8feb320 |
| API Keys | *_KEY, *_API_KEY env vars | OPENAI_API_KEY=sk-... |
| Passwords | password, passwd, pass assignments | "password": "realpass123" |
| Secrets | *_SECRET, *_TOKEN env vars | GITHUB_TOKEN=ghp_... |
| Credentials | .env, *credentials*, *secret* files | .env, aws_credentials |
| Private Keys | -----BEGIN.*PRIVATE KEY----- | SSH keys, TLS certs |
| Emails/PII | Personal emails, phone numbers in code | [email protected] |
Search for sensitive patterns across the codebase:
# Search for common secret patterns
rg -n "(token|api[_-]?key|secret|password|passwd|private[_-]?key|credential)" --glob "!node_modules" --glob "!.git" --glob "!*.lock"
Check if secrets were ever committed:
# Search git history for secrets
git log -p --all -S "token" -- "*.json" "*.env" "*.config.*" "*.yml" "*.yaml"
Identify config files that should be gitignored:
# Find config files that might contain secrets
rg --files | rg -i "(\.env|config|secret|credential|\.json|\.yaml|\.yml)" | rg -v "node_modules|\.git|dist|build"
Ensure sensitive files are excluded:
# Check if .gitignore covers common secret patterns
cat .gitignore | rg -i "(\.env|secret|credential|token|key|password|\.json)"
// BAD
const token = "ghp_xxxxxxxxxxxxxxxxxxxx";
const config = { password: "real_password_123" };
// BAD
{
"baseUrl": "http://real-server.com",
"token": "ee96b34d7f52d9f0863e7bcb0994464a05b5070d"
}
// GOOD
{
"baseUrl": "http://example.com",
"token": "your-token-here"
}
// GOOD - read from environment
const token = process.env.GITHUB_TOKEN;
When secrets are found:
| Issue | Fix |
|---|---|
| Token in code | Replace with process.env.TOKEN_NAME |
| Token in config JSON | Replace with "your-token-here" |
| Config file not gitignored | Add *.json or specific filename to .gitignore |
| Secret in git history | Use git filter-repo or bfg-repo-cleaner |
| Password in test fixtures | Use mock/test credentials only |
[email protected] may be realhttp://user:pass@host).env, *secret*, *credential* not in .gitignoretest@, user@, example@)