Claude Code Plugins

Community-maintained marketplace

Feedback

security-secrets

@IgorWarzocha/Opencode-Workflows
21
0

Secret detection patterns and scanning workflow. Auto-loaded by security-reviewer agent for all security audits. Contains regex patterns for 25+ secret types (AWS, Google, GitHub, Stripe, etc.) and CLI scanning commands.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name security-secrets
description Secret detection patterns and scanning workflow. Auto-loaded by security-reviewer agent for all security audits. Contains regex patterns for 25+ secret types (AWS, Google, GitHub, Stripe, etc.) and CLI scanning commands.

High-signal regex patterns for detecting secrets in codebases.

High-Signal Regex Patterns

Secret Type Pattern Notes
AWS Access Key AKIA[0-9A-Z]{16} Always 20 chars, starts AKIA
AWS Secret (?i)aws(.{0,20})?['"][0-9a-zA-Z/+]{40}['"] 40 chars base64-ish
Google API Key AIza[0-9A-Za-z\-_]{35} 39 chars total
Google OAuth [0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com Client ID
Google Service Account "type":\s*"service_account" In JSON files
GitHub Token gh[pousr]_[A-Za-z0-9_]{36,} ghp_/gho_/ghu_/ghs_/ghr_
GitHub PAT (fine-grained) github_pat_[A-Za-z0-9_]{22,} Newer format
GitLab Token glpat-[A-Za-z0-9\-]{20,} Personal access token
Stripe Secret `sk_(live test)_[0-9a-zA-Z]{24,}`
Stripe Restricted `rk_(live test)_[0-9a-zA-Z]{24,}`
Stripe Publishable `pk_(live test)_[0-9a-zA-Z]{24,}`
Slack Bot Token xoxb-[A-Za-z0-9-]+ Bot token
Slack User Token xoxp-[A-Za-z0-9-]+ User token
Slack Workflow Token xwfp-[A-Za-z0-9-]+ Workflow token
Slack App Token xapp-[A-Za-z0-9-]+ App-level token
Slack Webhook https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[a-zA-Z0-9]+
Discord Token [MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27} Bot token
Discord Webhook https://discord\.com/api/webhooks/[0-9]+/[A-Za-z0-9_-]+
OpenAI Key sk-[A-Za-z0-9]{48} API key
Anthropic Key sk-ant-[A-Za-z0-9\-]{32,} API key
Twilio SK[a-z0-9]{32} API key SID
SendGrid SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{43} API key
Mailgun key-[0-9a-zA-Z]{32} API key
Mailchimp [a-f0-9]{32}-us[0-9]{1,2} API key
Firebase (?i)firebase[a-z0-9\-]+\.firebaseio\.com Database URL
Supabase eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*\.[A-Za-z0-9_-]* JWT (check context)
Heroku [hH]eroku.*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12} API key
NPM Token npm_[A-Za-z0-9]{36} Publish token
PyPI Token pypi-[A-Za-z0-9_-]{50,} Upload token
Private Key `-----BEGIN (RSA EC
Database URL `(?i)(postgres mysql
Password in URL [a-zA-Z]{3,15}://[^/\\:@]+:[^/\\:@]+@.{1,100} Basic auth
JWT Secret `(?i)(jwt[_-]?secret token[_-]?secret)['"]?\s*[:=]\s*['"][^'"]+['"]`
Generic Secret `(?i)(password passwd

CLI Scanning Commands

# Quick grep scan (fast, high signal)
rg -n "(AKIA[0-9A-Z]{16}|sk_(live|test)_|rk_(live|test)_|pk_(live|test)_|xox[baprs]-|xapp-|xwfp-|gh[pousr]_|github_pat_)" .
rg -n "BEGIN (RSA|EC|OPENSSH|DSA|PGP) PRIVATE KEY" .
rg -n "(?i)(api[_-]?key|secret|token|password)\s*[:=]\s*['\"][^'\"]{8,}" .

# Dedicated scanners (thorough)
gitleaks detect --source . --redact --no-git
semgrep scan --config p/secrets --error
trufflehog filesystem . --only-verified

Files to Prioritize

File Pattern Risk Level Why
.env* CRITICAL Often contains all secrets
*config*.js/ts/json HIGH App configuration
*secret*, *credential* HIGH Named suspiciously
docker-compose*.yml HIGH DB passwords, service creds
.github/workflows/*.yml HIGH CI/CD secrets
*test*, *spec*, *fixture* MEDIUM Test data with real creds
*.pem, *.key, *.p12 CRITICAL Private keys

Redaction Format

When reporting secrets, MUST always redact:

Original: AKIAIOSFODNN7EXAMPLE
Redacted: AKIA****...****MPLE

Original: sk_test_XXXXYYYYZZZZ11112222
Redacted: sk_****...****2222

Show first 4 + last 4 characters only. MUST instruct immediate rotation.