name: secret-scanner description: "Pre-push API key and credential scanner - blocks git push if secrets found" version: 1.0.0 category: security tags: [secrets, api-keys, pre-push, git-hooks, security]

Secret Scanner

Scans your codebase for leaked API keys, tokens, and credentials. Blocks git push if secrets are found.

Usage

# Scan current directory
vibeco secrets

# Scan specific path
vibeco secrets /path/to/project

Detected Secrets (22 patterns)

Auto-Setup: Git Pre-Push Hook

Add to your project's .git/hooks/pre-push:

#!/bin/bash
vibeco secrets "$(git rev-parse --show-toplevel)" || exit 1

Make it executable:

chmod +x .git/hooks/pre-push

Now every git push will scan for secrets first. If any are found, push is blocked.

How It Works

1. Walks all source files (skips node_modules, dist, .git, lock files)
2. Matches 22 regex patterns for known API key formats
3. Skips comments and regex definition lines (avoids false positives)
4. If secrets found: prints masked values, exits with code 1 (blocks push)
5. If clean: prints success, exits with code 0

What to Do If Secrets Are Found

1. Remove the secret from source code
2. Move to .env file (add .env to .gitignore)
3. Use environment variables: process.env.API_KEY
4. If already pushed: rotate the credential immediately (it's compromised)

Scanned File Types

.ts .tsx .js .jsx .mjs .cjs .py .go .java .rb .php .rs .swift .kt .json .yml .yaml .toml .env .cfg .conf .ini .sh .bash .zsh .xml .properties .gradle