Back to Cookbook

Secret Sweeper

Find the AWS keys hiding in your git history before someone else does

Scans your repos, config files, and environment for hardcoded secrets, API keys, passwords, and credentials. Checks git history too — that "removed" API key from 6 months ago is still in the commit log.

House RecipeWork2 min

INGREDIENTS

🐙GitHub

PROMPT

Create a skill called "Secret Sweeper". Scan for leaked secrets and credentials: 1. Run gitleaks or trufflehog on the git repo (including full history) 2. Scan current files for patterns: API keys, passwords, tokens, private keys, connection strings 3. Check `.env` files, docker-compose files, and CI configs for hardcoded secrets 4. For each finding, indicate whether it looks potentially active based on context or metadata; only attempt active validation if I explicitly approve it 5. For each finding, provide: - File and line number (or commit hash for historical leaks) - Secret type and risk level - Whether it appears to still be active - Remediation: exact steps to rotate and move to a secret manager Also suggest pre-commit hooks and CI checks to prevent future leaks.

How It Works

Secrets leak in predictable ways: committed to git, left in `.env` files,

hardcoded in Docker configs, or buried in CI/CD variables. This skill

checks all the usual hiding spots.

What You Get

  • Git history scan for committed secrets (even if later removed)
  • Current codebase scan for hardcoded credentials
  • `.env` file audit across all environments
  • Docker and docker-compose file inspection
  • CI/CD config review (exposed secrets in logs, non-masked variables)
  • Remediation steps: rotate, revoke, and move to a secret manager

Setup Steps

  1. Point your Claw at a repository or directory
  2. Let it scan with tools like gitleaks, trufflehog, or detect-secrets
  3. Review the findings
  4. Follow the remediation steps for each leaked secret

Tips

  • Always rotate any secret that was ever committed, even if you removed it
  • Git history persists even after force-pushing — the secret is exposed until rotated
  • Set up a pre-commit hook to prevent future leaks
  • Check CI/CD logs too — secrets often leak in build output
  • Ask your Claw to help set up a proper secret manager (AWS Secrets Manager, Vault, etc.)
Tags:#security#secrets#git#devops