Skip to content
Secrets Guardian cover
SecurityFree · MIT

Secrets Guardian

Stop API keys, tokens and private keys from entering code, commits or logs — detect, triage false positives, and fix the pattern.

v1.0.0 · ~570 tokens · ⬇ 0 · Updated July 6, 2026

What it does

Detects secrets in added/staged lines (provider-specific + generic + entropy patterns), triages real vs placeholder vs false-positive, and applies the safe env-var pattern. Advises rotation for anything ever committed (a deleted-but-pushed key is already burned). Masks secrets in its own output.

Example uses

Scan a repo before open-sourcing

You are about to make a private repo public and need certainty that no key, token, or connection string ever landed in the code.

We're open-sourcing our internal analytics repo next week. Scan the entire codebase for leaked secrets — API keys, tokens, private keys, database connection strings — and for every real hit, tell me whether the key needs rotation, not just deletion from the code.

Check staged changes for secrets

You just wired a third-party API into your app and want to make sure the key does not ride along in the commit.

I just added Stripe payment handling to our Express API and I'm about to commit. Scan the staged diff for secrets before I do — if my API key is hardcoded anywhere, move it to an environment variable, add the key name to .env.example, and confirm .env is git-ignored.

Respond to a leaked key

A live credential was pushed to a shared branch and you need the correct cleanup order, starting with rotation.

Someone pushed an AWS access key to our main branch two days ago in config/deploy.js. Walk me through the right response in order: rotate the key at the provider first, then remove it from the code and scrub history, then add a pre-commit guard so this can't happen again.

Install

# 1. Create the skill folder in your Claude setup
mkdir -p ~/.claude/skills/secrets-guardian

# 2. Download SKILL.md into it (or move the file you just downloaded)
#    → ~/.claude/skills/secrets-guardian/SKILL.md

# 3. Claude Code auto-discovers it on next launch.

Inside the skill

SKILL.md
---
name: secrets-guardian
description: Detect and prevent secrets (API keys, tokens, private keys, credentials) from entering code, commits, logs, or config. Use before committing, when adding config, when handling credentials, or on request ("check for leaked keys", "scan for secrets"). Catches leaks and proposes the safe pattern.
---

# Secrets Guardian

Secrets in a repo are forever (history, forks, mirrors, model training crawls).
Catch them before they land, and fix the pattern that let them in.

## Detect (scan added/staged lines)

High-signal patterns:
- `sk-[A-Za-z0-9]{20,}`, `ghp_[A-Za-z0-9]{36}`, `xox[baprs]-[A-Za-z0-9-]+` (Slack),
  `AKIA[0-9A-Z]{16}` (AWS), `AIza[0-9A-Za-z_-]{35}` (Google).
- `-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----`.
- Generic: `(password|passwd|secret|token|api[_-]?key)\s*[:=]\s*['"][^'"\s]{8,}['"]`
- Connection strings with inline creds: `(postgres|mysql|mongodb)://[^:]+:[^@]+@`.
- High-entropy string assigned to a suspicious name (base64/hex ≥ 32 chars).

## Triage a hit

1. **Real secret?** — a live-looking key/token/password → CRITICAL, stop.
2. **Placeholder / example?** — `your-key-here`, `xxxx`, `example`, obvious dummy → OK, but
   move it to `.env.example` so it never sits next to real config.
3. **False positive?** — a variable *name* like `apiKey` with no value, or a public
   identifier → fine; don't cry wolf.

## Fix pattern (never just delete)

- Move the value to an environment variable; reference `process.env.X` / `os.environ`.
- Add the key (name only) to `.env.example`; ensure `.env` is git-ignored.
- If it was ever committed: the key is **compromised** — rotate it at the provider,
  then scrub history. Rotation first; a deleted-but-already-pushed key is still burned.
- Add a pre-commit guard so it can't recur.

## Output

```
SECRETS SCAN — <target>
Findings: <n critical / n review / n ignored-fp>
  [CRITICAL] <file:line> — <type> — ROTATE + remove + move to env
Safe pattern applied: <what changed>
```

## Rules

- Assume any matched real secret is already compromised the moment it's in history — advise rotation, always.
- Do not print the full secret back in output/logs — mask the middle.
- Distinguish name-only mentions from real values; false alarms train people to ignore you.

Changelog

  • v1.0.02026-07-03Initial clean-room write.

Frequently asked questions

Is Secrets Guardian free?

Yes. Secrets Guardian is free to download and MIT-licensed.

Where do I install Secrets Guardian?

Place the SKILL.md file in ~/.claude/skills/secrets-guardian/ and Claude Code auto-discovers it on next launch.

How many tokens does Secrets Guardian use?

About 570 tokens — it is designed to be token-lean.

Anthony M. — Founder & Lead Reviewer
Anthony M.Verified Builder

We're developers and SaaS builders who use these tools daily in production. Every review comes from hands-on experience building real products — DealPropFirm, ThePlanetIndicator, PropFirmsCodes, and many more. We don't just review tools — we build and ship with them every day.

Written and tested by developers who build with these tools daily.