Secrets Scan
sonnet sessionQuick reference
| Field | Value |
|---|---|
| Command | /brewtools:secrets-scan |
| Arguments | [--fix] — no args = scan only, --fix = interactive remediation |
| Model | sonnet |
| Context | session |
| Tools | Read, Task, Write, Bash, AskUserQuestion |
Security audit for leaked credentials in git-tracked files. Spawns 10 parallel agents to scan the entire repository, classifies findings by severity, and generates a detailed report.
Modes
| Mode | How to trigger | What it does |
|---|---|---|
| Scan only | /brewtools:secrets-scan | Scans all git-tracked files, generates severity-ranked report |
| Scan + fix | /brewtools:secrets-scan --fix | Scans, then walks through each CRITICAL/HIGH finding interactively |
| Auto-fix prompt | No flag needed | If CRITICAL or HIGH findings exist, prompts whether to remediate |
Usage examples
# Pre-commit security check on the full repo
/brewtools:secrets-scan
# Scan and fix all findings interactively
/brewtools:secrets-scan --fix
# Run before open-sourcing a private repo
/brewtools:secrets-scan --fixWhat it detects
| Category | Examples |
|---|---|
| Passwords | password=, passwd:, secret=, pwd= followed by a value |
| API Keys | api_key, access_key, apikey, api_secret |
| Tokens | token, bearer, auth_token, access_token |
| AWS Credentials | AKIA[0-9A-Z]{16}, aws_secret, aws_access_key |
| Database URLs | JDBC, MongoDB, MySQL, PostgreSQL connection strings with embedded credentials |
| Private Keys | -----BEGIN ... PRIVATE KEY-----, client_secret, encryption_key |
Skipped automatically: environment variable references (process.env.*, ${VAR}, os.getenv()),
common placeholders (changeme, YOUR_KEY, xxx, dummy), documentation comments, binary files.
Severity levels
| Level | Criteria |
|---|---|
| CRITICAL | Real credentials, private keys, database connection strings with passwords |
| HIGH | Real API keys or tokens, AWS credentials |
| MEDIUM | Suspicious hardcoded values that may be secrets |
| LOW | Placeholder values like changeme, YOUR_KEY, xxx, dummy |
Fix mode options
| Option | Action |
|---|---|
| Fix | Delete or replace the secret inline |
| Move to env var | Extract value into environment variable reference |
| Add to .gitignore | Append the file path to .gitignore |
| Mark false positive | Acknowledge and skip |
| Skip | Leave as-is, move to next finding |
Output
Report location: .claude/reports/{TIMESTAMP}_secrets-scan/report.md
| Section | Content |
|---|---|
| Summary | File counts, severity breakdown (CRITICAL / HIGH / MEDIUM / LOW) |
| Findings | Per-severity tables with file path, line number, matched content, description |
| Agent Stats | Per-agent breakdown of assigned, scanned, and finding counts |
| File Inventory | Complete list of scanned and skipped files with reasons |
Tips
Run early, run often — catch leaked secrets before they reach a remote branch.
Expect false positives from test fixtures and example configs; use —fix to mark them.
Combine with .gitignore rules and pre-commit hooks for defense in depth.