返回 Skill 列表
extension
分类: 开发与工程无需 API Key

keyenv-scan

使用KeyEnv的内置扫描器扫描代码库中的硬编码密钥和凭证。当用户希望在其代码中查找泄露的API密钥、密码、令牌或私钥,或者设置预提交钩子以防止秘密提交时,请使用此功能。

person作者: jakexiaohubgithub

KeyEnv Scan - Secret Detection

KeyEnv includes a built-in scanner that detects 50+ types of hardcoded secrets in source code: AWS keys, API tokens, private keys, database passwords, and more.

Prerequisites

Requires keyenv CLI: keyenv --version

Install if missing:

curl -fsSL https://keyenv.dev/install.sh | bash

Scanning for Secrets

# Scan current directory
keyenv scan

# Scan specific path
keyenv scan ./src

# Filter by severity (critical, high, medium, low)
keyenv scan --severity high

# JSON output for parsing
keyenv scan --json

The scanner respects .gitignore and .keyenvignore for exclusions.

Understanding Results

Output shows each finding with:

  • File path and line number
  • Pattern matched (e.g., "AWS Access Key", "GitHub Token")
  • Severity level (critical, high, medium, low)
  • Masked preview of the matched value

Example:

src/config.js:15  [critical] AWS Access Key ID
  AKIAIOSFODNN7EXAMPLE...

Found 3 secrets (1 critical, 2 high)

Pre-commit Hook

Prevent secrets from being committed:

# Install pre-commit hook
keyenv scan --hook

# Remove pre-commit hook
keyenv scan --hook --remove

The hook runs keyenv scan on staged files before each commit and blocks the commit if secrets are found.

Upload Results

Report findings to the KeyEnv dashboard for team visibility:

keyenv scan --upload

Requires an initialized project (keyenv init) and authentication.

Custom Exclusions

Create a .keyenvignore file to exclude paths beyond .gitignore:

# .keyenvignore
test/fixtures/
docs/examples/
*.test.js

Detected Patterns

The scanner detects secrets across these categories:

| Category | Examples | |----------|---------| | Cloud providers | AWS keys, GCP service accounts, Azure tokens | | API keys | Stripe, Twilio, SendGrid, Slack, GitHub | | Authentication | JWTs, OAuth tokens, session secrets | | Databases | Connection strings with passwords | | Cryptographic | Private keys (RSA, EC, PGP), certificates | | Generic | High-entropy strings, base64-encoded secrets |

Common Workflows

Audit a codebase:

keyenv scan --json | jq '.findings | group_by(.severity) | map({severity: .[0].severity, count: length})'

CI pipeline check:

keyenv scan --severity high
# Exit code 1 if secrets found, 0 if clean

Before pushing code:

keyenv scan && git push