DevOps & Security
Secret Leakage Preventer
Scans code and commits for hardcoded secrets, API keys, connection strings, and credentials, then proposes secure alternatives. Useful for preventing the leading class of AI-era security incidents. Backend engineers and DevOps leads who want a pre-commit safety net against secret leakage, security teams enforcing credential hygiene without blocking developer velocity, and indie developers preparing for enterprise customer security reviews. AI agents routinely inline API keys into example code, copy test credentials into production files, or propagate leaked values across commits. Once a secret lands in git history, rotation cost jumps from minutes to hours — and detection via public scanners (GitHub Secret Scanning, TruffleHog) happens only after damage is done. A scanner integrated into the coding session catches exposure before it leaves the developer's machine.
One-Time Purchase
$19.99
Secret Leakage Scan — src/ + last 20 commits
Scope: 847 files across src/, config/, scripts/, tests/ · Last 20 commits (a3f1d09 → HEAD)
Verdict
Five secrets need rotation now. An AWS access-key pair, a live Stripe secret key, a Postgres connection string with embedded credentials, a JWT signing secret, and a GitHub PAT all live in the current tree — four of them also in committed history. Two additional findings (one medium, one low) need classification before action.
Findings by source
Leak Table
| # | Credential class | Location | In git history? | Severity |
|---|---|---|---|---|
| 1 | AWS access key ID + secret pair | config/deploy.env:12–13 | Yes (a3f1d09) | Critical |
| 2 | Stripe live secret (sk_live_…) | src/payments/stripe_client.py:8 | Yes (3 commits) | Critical |
| 3 | Postgres URI with embedded password | src/db/connection.py:3 | Yes (c1188bd) | Critical |
| 4 | JWT signing secret (HS256) | src/auth/tokens.py:21 | Yes (e77b302) | Critical |
| 5 | GitHub PAT (ghp_…) | scripts/release.sh:44 | No (gitignored) | High |
| 6 | Generic bearer token (test helper) | tests/helpers/api_mock.py:67 | Yes (f9a3310) | Medium |
| 7 | High-entropy string (40 chars, hex-safe) | src/integrations/webhooks.py:112 | Yes (a1d55f7) | Low |
Remediation
Rotate now — before next deploy
Refactor (no rotation needed for these specifically)
Monitor / watch list
Watch-List Callouts
Rotation before history rewrite
Rotate every leaked secret BEFORE force-pushing rewritten history. The history rewrite changes commit SHAs but does not invalidate the secrets themselves — anyone who cloned the repo before the rewrite still has the originals. Rotation is what makes the leak harmless.
GitHub PAT in working tree
The PAT in scripts/release.sh is gitignored but still present on disk and likely on every developer's machine that has cloned the repo. Backups, IDE indexes, and shell-history exports can resurface the value. Revoke the token, then refactor the script to read $GH_TOKEN.
Skipped (non-findings)
Excluded as placeholders or documented examples: config/settings.example.env (all keys), docs/quickstart.md (your_stripe_key_here), tests/fixtures/mock_aws.py (AKIAIOSFODNN7EXAMPLE — AWS docs example), README.md (sk_test_4eC39Hq… — Stripe doc example).
History Rewrite — Reference
git-filter-repo is preferred for modern repos. Coordinate the force-push: every collaborator must re-clone, and any open PRs against this branch are invalidated.
pip install git-filter-repo
cp -r my-repo my-repo-backup
cat > replacements.txt <<'EOF'
<actual-secret-1>==>REDACTED_REMOVED
<actual-secret-2>==>REDACTED_REMOVED
EOF
git filter-repo --replace-text replacements.txt
git push origin --force --all
git push origin --force --tags
Static scan output. Rotation status reflects the working tree and last 20 commits only; older history may contain additional exposure. Re-run after rotation and rewrite to confirm a clean state.
This sample illustrates the skill's output format. Names, metrics, and operational details are illustrative unless the artifact explicitly analyzes public information.
View full sample →
All sales final. No refunds on digital products.
Includes support for Claude Code, Codex, OpenClaw, and Google Antigravity in the same license.
Also in Security Scanning
Bundle price: $55. Compare this skill with the full workflow bundle or Pro access.
Best for
Engineers and DevOps leads who want a pre-commit safety net against API keys, connection strings, and credentials drifting into git history. Especially valuable in AI-assisted workflows where agents routinely inline example credentials and copy test values across files without the human noticing.
Not ideal for
Repos that have already been pushed to a public host with secrets in history — the skill prevents future leakage; cleanup there requires git history rewriting and immediate rotation. Also a poor fit as a standalone control without a secrets manager behind it; preventing the commit only matters if there’s somewhere safe for the secret to actually live.
Included in this purchase
- Claude Code, Codex, OpenClaw, and Google Antigravity skill files.
- Setup guidance for the right adapter in your workspace.
- One-time license for the purchased skill version.
Setup
Plan for a short setup in the repository or workspace where the skill will run. Some coding familiarity helps for implementation-heavy outputs.
Related Skills
$19.99
One-time license
$19.99
One-time license
$19.99
One-time license
Future Updates
This purchase includes the current version of the skill. If you want future adapter updates — meaning compatibility and packaging updates as supported platforms evolve — plus new catalog additions included automatically, upgrade to Pro.