secrets-scan
Caution
Secrets committed to git are permanent — even after deletion. A single password=prod123 in a config file, a hardcoded AWS key in a test fixture, a connection string left in a migration script. Once pushed, the history retains it. /brewtools:secrets-scan finds these before they become incidents.
Tip
10 parallel agents, one command. The skill splits your git file list into 10 chunks, runs haiku agents in parallel, merges results, ranks by severity, and writes a structured report — all without leaving your Claude session. Add --fix to remediate interactively.
Quick reference
| Field | Value |
|---|---|
| Command | /brewtools:secrets-scan |
| Arguments | [--fix] — no args = scan only, --fix = interactive remediation |
| Model | sonnet |
| Context | session |
| Tools | Read, Task, Write, Bash, AskUserQuestion |
When to use
- Pre-push audit — run before opening a PR or pushing to a remote branch
- Open-source prep — before making a private repo public, scan the full history surface
- CI gate — catch secrets that slipped past
.gitignorerules - Post-incident — verify no additional credentials are exposed after a breach
- Onboarding — audit a legacy codebase you’ve just inherited
Examples
# Scan only — full repo, severity-ranked report
/brewtools:secrets-scan
# Scan and remediate interactively (CRITICAL + HIGH findings prompted)
/brewtools:secrets-scan --fix
# Natural language triggers
"scan for leaked credentials"
"security audit, find any hardcoded keys"
"check for secrets before I open-source this repo"Expected output after scan:
## Secrets Scan Complete
| Metric | Value |
|----------|-------|
| Files | 342 |
| CRITICAL | 1 |
| HIGH | 3 |
| MEDIUM | 7 |
| LOW | 12 |
Report: .claude/reports/20260417-143022_secrets-scan/report.mdFlow
- Setup
Verifies the working directory is a git repository, collects the full file list via
git ls-files, creates a timestamped report directory under.claude/reports/. - Split & launch 10 agents
Divides the file list into 10 equal chunks (ceil division). Spawns 10
general-purpose haikuagents in a single parallel Task call — each agent reads its assigned files and applies detection patterns. - Merge results
Collects JSON responses from all 10 agents. Deduplicates findings by
path+line, merges scanned and skipped file lists, sorts findings: CRITICAL → HIGH → MEDIUM → LOW. - Generate report
Writes
{DIR}/report.mdwith a summary table, per-severity finding tables (file, line, matched content, description), per-agent stats, and a full file inventory including skipped files with skip reasons. - Display summary
Prints a compact table of severity counts and the report path directly in the session. No need to open the file to see the headline result.
- Fix mode
Triggered by
—fixflag or automatically when CRITICAL/HIGH findings exist. Walks through each finding withAskUserQuestion: fix inline, move to env var, add file to.gitignore, mark as false positive, or skip.
Detection rules
What gets flagged:
| Category | Patterns |
|---|---|
| Passwords | password, passwd, secret, pwd followed by = or : and a value |
| API keys | api_key, access_key, apikey, api_secret |
| Tokens | token, bearer, auth_token, access_token |
| AWS credentials | AKIA[0-9A-Z]{16}, aws_secret, aws_access_key |
| Database URLs | JDBC, MongoDB, MySQL, PostgreSQL connection strings with embedded credentials |
| Private keys | -----BEGIN ... PRIVATE KEY-----, client_secret, encryption_key |
Severity levels:
| Level | Criteria |
|---|---|
| CRITICAL | Real credentials, private keys, database connection strings with passwords |
| HIGH | Real API keys or tokens, AWS credentials |
| MEDIUM | Suspicious hardcoded values that may be secrets |
| LOW | Placeholder values (changeme, YOUR_KEY, xxx, dummy) |
Automatically skipped:
Environment variable references (process.env.*, ${VAR}, os.getenv()), common placeholders, documentation comments, binary files.
Fix mode options:
| Option | Action |
|---|---|
| Fix | Delete or replace the secret inline |
| Move to env var | Extract value into an environment variable reference |
| Add to .gitignore | Append the file path to .gitignore |
| Mark false positive | Acknowledge and skip — logged in report |
| Skip | Leave as-is, move to next finding |
Deploy skill
Ship changes via GitHub Actions workflows and GHCR — pair with a clean secrets audit before release.
GitHub source
Source code, detection patterns, and agent prompt templates.
Brewtools overview
All brewtools skills — text optimization, SSH management, plugin updates, and more.
Updating plugins
/brewtools:plugin-update to check and update the brewcode plugin suite in one command.
See the FAQ for details.