bizshuk/llm_plugin

Overview

This skill scans your workspace for exposed secrets and other security risks such as hardcoded passwords, API keys, tokens, and private keys. It reports findings with file paths, line numbers, and suggested remediation steps so you can quickly secure or rotate compromised credentials. The scanner runs locally and respects .gitignore and common exclusions to reduce noise.

How this skill works

The scanner searches project files using regex patterns for common secret formats (AWS keys, GitHub tokens, JWTs, connection strings, private keys, base64-like blobs) and inspects surrounding context to assess severity. It excludes large binaries and typical vendor directories, checks whether files are tracked by git, and classifies findings as high, medium, or low risk. The output includes a concise report with remediation recommendations like moving secrets to environment variables, using secret managers, and rotating compromised keys.

When to use it

• Before committing code or opening a pull request
• During code reviews or CI/CD pipeline checks
• When onboarding a new project or auditing a repository
• After merging third-party code or adding new services
• When you suspect accidental credential exposure

Best practices

• Run scans regularly and integrate into CI/CD to catch issues early
• Treat high-severity findings immediately—rotate keys and revoke access
• Move secrets to environment variables or a managed secret store
• Add .env and other credential files to .gitignore and use pre-commit hooks
• Educate the team about secret handling and least-privilege principles

Example use cases

• Full workspace scan to find any committed secrets before release
• Targeted scan for AWS credentials or GitHub tokens after a library upgrade
• Search for database connection strings before sharing a repo
• Custom pattern scan to detect proprietary token formats or long base64 strings
• CI job that fails the build on any high-severity secret detection