# secrets-scan

> Detect leaked secrets with Gitleaks. Use for secret leaks, credentials, keys, tokens, or code security checks.

- Author: Eliran
- Repository: Eliran-Turgeman/code-security-skills
- Version: 20260206111519
- Stars: 0
- Forks: 0
- Last Updated: 2026-02-06
- Source: https://github.com/Eliran-Turgeman/code-security-skills
- Web: https://mule.run/skillshub/@@Eliran-Turgeman/code-security-skills~secrets-scan:20260206111519

---

---
name: secrets-scan
description: Detect leaked secrets with Gitleaks. Use for secret leaks, credentials, keys, tokens, or code security checks.
---

## Goal

Detect leaked credentials, keys, tokens, and other secrets in a repository using Gitleaks. Produce normalized findings in the canonical schema.

## Inputs

- Repo root mounted read-only at `/repo`
- Output directory mounted at `/out`
- Shared references:
  - `shared/DOCKER_IMAGES.md`
  - `shared/CANONICAL_FINDING_SCHEMA.md`
  - `shared/TRIAGE_RULES.md`

## Safety constraints

- Never print raw secrets. Always redact in `evidence`.
- Only read from `/repo:ro`.
- Write outputs only to `/out`.

## Tool invocation

Use the pinned image from `shared/DOCKER_IMAGES.md`.

Example command:

```bash
docker run --rm \
  -v "$PWD:/repo:ro" \
  -v "$PWD/out:/out" \
  zricethezav/gitleaks:v8.18.2 \
  detect --source /repo --report-format json --report-path /out/gitleaks.json
```

## Output normalization

- Read `/out/gitleaks.json`.
- Map each finding to the canonical schema in `shared/CANONICAL_FINDING_SCHEMA.md`.
- Set:
  - `category = secrets`
  - `tool = gitleaks`
  - `title` from Gitleaks rule description
  - `file`, `start_line`, `end_line` from location
  - `severity` map: `critical` for high-confidence secrets, otherwise `high`
  - `confidence` from rule confidence if available; else `high`
- `evidence` must be redacted (e.g., `API_KEY=REDACTED`).
- Write normalized output to `/out/findings.secrets.json`.

## Prioritization

Apply `shared/TRIAGE_RULES.md` when sorting findings.

## User-facing report format

Provide a short summary and a table with:

- `severity`
- `title`
- `file:line`
- `remediation`

## How to rerun locally

```bash
mkdir -p out

docker run --rm \
  -v "$PWD:/repo:ro" \
  -v "$PWD/out:/out" \
  zricethezav/gitleaks:v8.18.2 \
  detect --source /repo --report-format json --report-path /out/gitleaks.json
```