2.3 million secrets are sitting in public git repos right now. Make sure yours aren't among them.
| Stat | Number |
|---|---|
| Secrets in public GitHub repos | 2.3M+ (2025) |
| Average time to rotation after leak | 27 days |
| Cost of single API key compromise | $10K-$500K+ |
| Most common cause | Hardcoded keys in config files |
# Search current files for common secret patterns
grep -rn -E "(AKIA[0-9A-Z]{16}|ghp_[0-9a-zA-Z]{36}|BEGIN.*PRIVATE KEY)" . \
--exclude-dir=node_modules --exclude-dir=.git| Category | Patterns |
|---|---|
| 🔑 AWS Keys | AKIA[0-9A-Z]{16}, aws_secret_access_key |
| 🐙 GitHub Tokens | ghp_, gho_, ghu_, ghs_ |
| 🔐 Private Keys | BEGIN RSA/EC/DSA PRIVATE KEY |
| 🔗 Database URLs | postgres://, mongodb:// with credentials |
| 🤖 JWT Tokens | eyJ... encoded tokens |
| 📢 Webhooks | Slack/Discord webhook URLs |
| 💳 API Keys | Generic api_key = "..." patterns |
- Copy
SKILL.mdto your agent's skills directory - Run a basic scan with the copy-paste commands in SKILL.md
- Set up pre-commit hooks to prevent future leaks
- Add CI/CD scanning with TruffleHog or Gitleaks
1. ROTATE — Generate new credentials immediately
2. REMOVE — Use git-filter-repo to purge from history
3. PREVENT — Add .gitignore + pre-commit hooks
4. MONITOR — Set up GitHub secret scanning alerts
- Pre-commit checks — Catch secrets before they enter git
- CI/CD pipelines — Automated scanning on every push
- Repository audits — Full history scan for existing leaks
- Agent code review — Flag secrets during code generation
- Compliance — SOC2, HIPAA, PCI-DSS requirements
# GitHub Actions - add to your workflow
- name: Secret Scan
uses: trufflesecurity/trufflehog@main
with:
extra_args: --only-verified- skill-mcp-security-audit - MCP server security
- skill-dependency-guard - Pre-install supply chain scanner
MIT - Use freely, scan everything.
Every secret in git history is a ticking time bomb. Sweep them before they explode.