Vibecosystem secret-scanner
Pre-push API key and credential scanner - blocks git push if secrets found
install
source · Clone the upstream repo
git clone https://github.com/vibeeval/vibecosystem
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/vibeeval/vibecosystem "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/secret-scanner" ~/.claude/skills/vibeeval-vibecosystem-secret-scanner && rm -rf "$T"
manifest:
skills/secret-scanner/SKILL.mdsource content
Secret Scanner
Scans your codebase for leaked API keys, tokens, and credentials. Blocks git push if secrets are found.
Usage
# Scan current directory vibeco secrets # Scan specific path vibeco secrets /path/to/project
Detected Secrets (22 patterns)
| Provider | Pattern | Example |
|---|---|---|
| OpenAI | | |
| Anthropic | | |
| AWS | | |
| GitHub | | |
| Stripe | | |
| | |
| Slack | | |
| SendGrid | | |
| npm | | |
| PyPI | | |
| Database URLs | | With embedded passwords |
| Private Keys | | PEM format |
Auto-Setup: Git Pre-Push Hook
Add to your project's
.git/hooks/pre-push#!/bin/bash vibeco secrets "$(git rev-parse --show-toplevel)" || exit 1
Make it executable:
chmod +x .git/hooks/pre-push
Now every
git pushHow It Works
- Walks all source files (skips node_modules, dist, .git, lock files)
- Matches 22 regex patterns for known API key formats
- Skips comments and regex definition lines (avoids false positives)
- If secrets found: prints masked values, exits with code 1 (blocks push)
- If clean: prints success, exits with code 0
What to Do If Secrets Are Found
- Remove the secret from source code
- Move to
file (add.env
to.env
).gitignore - Use environment variables:
process.env.API_KEY - If already pushed: rotate the credential immediately (it's compromised)
Scanned File Types
.ts .tsx .js .jsx .mjs .cjs .py .go .java .rb .php .rs .swift .kt .json .yml .yaml .toml .env .cfg .conf .ini .sh .bash .zsh .xml .properties .gradle