--- name: check-secrets description: Scan the codebase for potential secret leaks including API keys, tokens, passwords, hardcoded project IDs, and sensitive identifiers. Use when the user says "check for secrets", "scan for leaks", "security check", or before committing sensitive changes. --- # check-secrets Scan the codebase for potential secret leaks before commits. ## Trigger Examples - "Check for secrets" - "Scan for leaks" - "Security check" - "Are there any hardcoded secrets?" ## Execution Flow ### 1. Define Detection Patterns **High-risk patterns:** - API keys: `['\"]?[A-Z0-9_]{20,}['\"]?` - Bearer tokens: `Bearer\s+[A-Za-z0-9\-._~+/]+=*` - Private keys: `-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----` - OAuth secrets: `client_secret['\"]?\s*[:=]\s*['\"]?[A-Za-z0-9\-_]{20,}` - GCP service account keys: `"type":\s*"service_account"` - AWS credentials: `AKIA[0-9A-Z]{16}` **Project-specific patterns:** - Hardcoded project IDs: `koborin-ai` (outside of variable assignments or docs) - Email addresses: `@koborin\.ai` **Safe patterns (excluded):** - Environment variable references: `process.env.`, `$\{`, `TF_VAR_` - Placeholder values: ``, `YOUR_API_KEY`, `dummy`, `example` - Test fixtures: files under `__tests__/`, `*.test.ts`, `*.spec.ts` ### 2. Scan the Codebase Use `git ls-files` to get tracked files: ```bash git ls-files | grep -v -E '\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|pdf)$' | \ grep -v -E '^(node_modules|\.next|dist|build|coverage)/' ``` ### 3. Filter False Positives Remove known safe occurrences: - Lines containing `process.env.` or `TF_VAR_` - Template files (`.env.example`, `.env.template`) - Lines with placeholder patterns (`<...>`, `YOUR_...`, `REPLACE_ME`) ### 4. Categorize Findings **Critical (immediate action required):** - Private keys, service account JSON - Hardcoded passwords or tokens - Real API keys with valid format **Warning (review recommended):** - Suspicious long strings that might be keys - Hardcoded project IDs outside infrastructure code **Info (low risk):** - Company name in unexpected places - Domain references in application code ### 5. Display Results ``` CRITICAL: Potential private key detected File: infra/shared/main.tf Line: 42 Match: -----BEGIN PRIVATE KEY----- WARNING: Hardcoded project ID File: app/src/lib/api-client.ts Line: 15 Match: const PROJECT = "koborin-ai" Summary: - Critical: 1 finding(s) - Warning: 1 finding(s) Review these findings before committing. ``` ## Project-Specific Rules For `koborin-ai`: - Allow `koborin-ai` in `infra/` and `README.md` - Flag it in `app/src/` unless from environment variable - Allow email addresses in documentation - Flag GCP project IDs when hardcoded outside Pulumi config ## Notes - This is static analysis only; cannot detect runtime-loaded secrets - Always review findings manually - Run before every commit - Never commit real secrets even if undetected