keyenv-scan

Scan codebases for hardcoded secrets and credentials using KeyEnv's built-in scanner. Use when the user wants to find leaked API keys, passwords, tokens, or private keys in their code, or set up a pre-commit hook to prevent secret commits.

keyenv 0 Updated 3mo ago

GitHub

Install

npx skillscat add keyenv/keyenv-skills/keyenv-scan

Install via the SkillsCat registry.

SKILL.md

KeyEnv Scan - Secret Detection

KeyEnv includes a built-in scanner that detects 50+ types of hardcoded secrets in source code: AWS keys, API tokens, private keys, database passwords, and more.

Prerequisites

Requires keyenv CLI: keyenv --version

Install if missing:

curl -fsSL https://keyenv.dev/install.sh | bash

Scanning for Secrets

# Scan current directory
keyenv scan

# Scan specific path
keyenv scan ./src

# Filter by severity (critical, high, medium, low)
keyenv scan --severity high

# JSON output for parsing
keyenv scan --json

The scanner respects .gitignore and .keyenvignore for exclusions.

Understanding Results

Output shows each finding with:

File path and line number
Pattern matched (e.g., "AWS Access Key", "GitHub Token")
Severity level (critical, high, medium, low)
Masked preview of the matched value

Example:

src/config.js:15  [critical] AWS Access Key ID
  AKIAIOSFODNN7EXAMPLE...

Found 3 secrets (1 critical, 2 high)

Pre-commit Hook

Prevent secrets from being committed:

# Install pre-commit hook
keyenv scan --hook

# Remove pre-commit hook
keyenv scan --hook --remove

The hook runs keyenv scan on staged files before each commit and blocks the commit if secrets are found.

Upload Results

Report findings to the KeyEnv dashboard for team visibility:

keyenv scan --upload

Requires an initialized project (keyenv init) and authentication.

Custom Exclusions

Create a .keyenvignore file to exclude paths beyond .gitignore:

# .keyenvignore
test/fixtures/
docs/examples/
*.test.js

Detected Patterns

The scanner detects secrets across these categories:

Category	Examples
Cloud providers	AWS keys, GCP service accounts, Azure tokens
API keys	Stripe, Twilio, SendGrid, Slack, GitHub
Authentication	JWTs, OAuth tokens, session secrets
Databases	Connection strings with passwords
Cryptographic	Private keys (RSA, EC, PGP), certificates
Generic	High-entropy strings, base64-encoded secrets

Common Workflows

Audit a codebase:

keyenv scan --json | jq '.findings | group_by(.severity) | map({severity: .[0].severity, count: length})'

CI pipeline check:

keyenv scan --severity high
# Exit code 1 if secrets found, 0 if clean

Before pushing code:

keyenv scan && git push

keyenv-scan

Install

KeyEnv Scan - Secret Detection

Prerequisites

Scanning for Secrets

Understanding Results

Pre-commit Hook

Upload Results

Custom Exclusions

Detected Patterns

Common Workflows

Categories

Install

Recommended Skills