name: credential-leak-scanner
description: Scans files, code, configs, and text for leaked credentials including API keys, tokens, private keys, and connection strings. Use when user asks to "scan for secrets", "find leaked keys", "check for credentials", or "audit secrets in my code".
metadata:
author: oktsec
version: 1.0.0
license: Apache-2.0

Credential Leak Scanner

Find leaked secrets before they reach production. Scans code, configs, agent output, and text for 30+ credential patterns.

Instructions

Step 1: Determine scan scope

Ask the user what to scan:
- A specific file or directory
- A text block or agent message
- A git diff or commit
- An entire project

Step 2: Scan for credential patterns

Check every line against these patterns:

Cloud provider keys:
| Pattern | Service | Example prefix |
|---------|---------|---------------|
| AKIA[0-9A-Z]{16} | AWS Access Key | AKIA... |
| sk-[a-zA-Z0-9]{20,} | OpenAI API Key | sk-proj-... |
| sk-or-v1-[a-f0-9]{64} | OpenRouter | sk-or-v1-... |
| sk_live_[a-zA-Z0-9]{24,} | Stripe Live Key | sk_live_... |
| sk_test_[a-zA-Z0-9]{24,} | Stripe Test Key | sk_test_... |
| ghp_[a-zA-Z0-9]{36} | GitHub PAT | ghp_... |
| gho_[a-zA-Z0-9]{36} | GitHub OAuth | gho_... |
| glpat-[a-zA-Z0-9\-]{20} | GitLab PAT | glpat-... |
| xoxb-[0-9]{10,} | Slack Bot Token | xoxb-... |
| xoxp-[0-9]{10,} | Slack User Token | xoxp-... |
| SG\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{43} | SendGrid | SG.... |
| key-[a-zA-Z0-9]{32} | Mailgun | key-... |

Private keys:
| Pattern | Type |
|---------|------|
| -----BEGIN RSA PRIVATE KEY----- | RSA key |
| -----BEGIN OPENSSH PRIVATE KEY----- | SSH key |
| -----BEGIN EC PRIVATE KEY----- | EC key |
| -----BEGIN PGP PRIVATE KEY BLOCK----- | PGP key |

Connection strings:
| Pattern | Service |
|---------|---------|
| postgres://[^:]+:[^@]+@ | PostgreSQL with password |
| mysql://[^:]+:[^@]+@ | MySQL with password |
| mongodb://[^:]+:[^@]+@ | MongoDB with password |
| redis://:[^@]+@ | Redis with password |
| amqp://[^:]+:[^@]+@ | RabbitMQ with password |

Tokens and secrets:
| Pattern | Type |
|---------|------|
| eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\. | JWT token |
| Bearer [a-zA-Z0-9_\-.]{20,} | Bearer token |
| basic [a-zA-Z0-9+/=]{20,} | Basic auth (base64) |
| password\s*[=:]\s*['"][^'"]{8,} | Hardcoded password |
| secret\s*[=:]\s*['"][^'"]{8,} | Hardcoded secret |

Step 3: Report findings

For each credential found:

## Credential Scan Report

### Findings

1. **[CRITICAL]** [Credential type]
   - File: [path:line]
   - Value: [redacted - show only first 8 chars + ...]
   - Service: [which service this key belongs to]
   - Risk: [what an attacker could do with this]
   - Fix: [specific remediation]

### Summary
- [count] credentials found
- [count] unique services affected
- Immediate actions: [list]

Step 4: Remediate

For each finding, provide:
1. Rotate immediately - the credential is compromised if it was ever in version control
2. Remove from code - use environment variables or a secret manager
3. Add to .gitignore - prevent future commits of secret files
4. Check git history - git log --all -p -S 'leaked-prefix' to find where it was introduced

Examples

Example 1: Scan a file

User: "Check this .env file for leaked secrets"

Scan the file line by line against all patterns. Report each match with redacted value.

Example 2: Scan agent output

User: "Is this agent response leaking anything? [paste]"

Analyze the text for credential patterns. Pay special attention to code blocks where secrets might be embedded in examples.

Common Issues

Test keys vs live keys

Distinguish between test keys (sk_test_, sandbox tokens) and production keys (sk_live_, production tokens). Both should be flagged but at different severities.

False positives

Random strings that match patterns (e.g., UUIDs matching key formats). Check length and character distribution. Real keys have specific formats.