Skip to content

mturac/pluginpool-secret-guard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.claude-plugin
.claude-plugin
 
 
assets
assets
 
 
commands
commands
 
 
examples
examples
 
 
hooks
hooks
 
 
scripts
scripts
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

hero

secret-guard

Block leaked API keys before they hit origin. Pattern + entropy. Redacted output.

License: MIT Python 3.8+ Claude Code Plugin Tests: 10 passing

TL;DR: /secret-guard → scans your staged diff for AWS / GitHub / Slack / Stripe / Google API keys, JWTs, private keys, and high-entropy base64 strings. Blocks the commit before the secret leaves your machine.

Why this exists

Most "secret scanners" run in CI — after the leak is already in git history. By then, rotating the key is the only fix, because git history is forever. secret-guard runs in your pre-commit hook (or via Claude Code on demand) and catches the leak before the commit object exists. And the output is redacted by design: you can paste a finding in chat, in a PR, in Slack, without leaking the very thing you're trying to protect.

Install (Claude Code + pre-commit)

git clone https://github.com/mturac/pluginpool-secret-guard ~/.claude/plugins/secret-guard

To wire as a pre-commit hook:

cp ~/.claude/plugins/secret-guard/hooks/pre-commit .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

Quick start

/secret-guard                                            # scan staged diff
python3 scripts/guard.py                                 # same, directly
python3 scripts/guard.py --files src/config.py .env      # scan specific files
python3 scripts/guard.py --allowlist .secretignore       # suppress known false positives

Flags

Flag Default Description
--files F… staged diff Scan specific files instead of the staged diff
--allowlist PATH none Regexes (one per line) that suppress matching findings
--format json json or md

Detected patterns

Rule Match
AWS Access Key ID AKIA[0-9A-Z]{16}
GitHub PAT gh[pousr]_[A-Za-z0-9]{36,}
Slack token xox[abpr]-[A-Za-z0-9-]{10,}
Stripe key `sk_(live
Google API key AIza[0-9A-Za-z_-]{35}
JWT eyJ…\.eyJ…\.…
Private key -----BEGIN … PRIVATE KEY-----
Generic high-entropy base64-ish ≥32 chars, Shannon entropy ≥ 4.5

Example output (markdown)

# secret-guard report

| file | line | rule | snippet |
|---|---|---|---|
| src/config.py | 12 | aws-access-key | AKIA… |
| .env | 4 | stripe-key | sk_l… |

Note: snippets are always rule + first 4 chars + … — never the full secret.

Exit codes

Code Meaning
0 Clean — no secrets found
1 At least one finding (commit is blocked when used as a hook)

Safety guarantees

  • test_redaction_contains_only_rule_and_first_four asserts the raw secret never appears in JSON or markdown output.
  • test_files_mode_does_not_crash_on_non_utf8 ensures non-UTF-8 / binary files are skipped, not crashed on.

Limitations

  • Pattern lists drift; submit PRs for new providers.
  • Entropy heuristic produces some false positives on minified bundles — use --allowlist to suppress.
  • Doesn't scan repo history; pair with git-secrets or trufflehog for that.

Examples

Step-by-step walkthroughs with real input fixtures and the helper's actual output live in examples/. Three or four scenarios per plugin — from the happy path to the edge cases the test suite guards.

Part of the pluginpool family

Ten focused Claude Code plugins for everyday productivity: commit-narrator · pr-storyteller · test-gap · deps-doctor · env-lint · secret-guard · standup-gen · todo-harvest · flaky-detector · changelog-forge

License

MIT — see LICENSE. Contributions welcome.

About

Group conventional commits into a CHANGELOG section with semver bump suggestion.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages