detect_secrets
Identify hardcoded secrets and credentials in code files to prevent security vulnerabilities during development.
Instructions
Detect hardcoded secrets and credentials in code
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| files | Yes | File paths to scan |
Implementation Reference
- src/tools/code-analysis.ts:93-102 (handler)The handler function for the 'detect_secrets' MCP tool. It processes input files, scans them using SecurityAnalyzer.scanSecurityIssues(), filters for secret-type issues, and returns a summary with detected secrets.case 'detect_secrets': { const files = params.files as string[]; const codeFiles = await FileReader.readFiles(files.join(',')); const issues = await securityAnalyzer.scanSecurityIssues(codeFiles); const secretIssues = issues.filter((i) => i.type === 'secret'); return { total: secretIssues.length, secrets: secretIssues, }; }
- src/tools/code-analysis.ts:21-35 (schema)Tool schema definition for 'detect_secrets', including name, description, and inputSchema for MCP tool listing.{ name: 'detect_secrets', description: 'Detect hardcoded secrets and credentials in code', inputSchema: { type: 'object', properties: { files: { type: 'array', items: { type: 'string' }, description: 'File paths to scan', }, }, required: ['files'], }, },
- src/server.ts:18-25 (registration)Registration of codeAnalysisTools (containing detect_secrets) into the combined allTools array, which is returned by the MCP listTools handler.const allTools = [ ...codeAnalysisTools, ...codeQualityTools, ...dependencyAnalysisTools, ...lintingTools, ...webScrapingTools, ...apiDiscoveryTools, ];
- src/server.ts:62-64 (registration)Dispatch logic in MCP callTool handler that routes 'detect_secrets' calls to handleCodeAnalysisTool based on tool name matching in codeAnalysisTools.if (codeAnalysisTools.some((t) => t.name === name)) { result = await handleCodeAnalysisTool(name, args || {}); } else if (codeQualityTools.some((t) => t.name === name)) {
- Core helper function implementing secret detection logic via regex pattern matching on code lines. Called from SecurityAnalyzer.scanSecurityIssues() which is invoked by the tool handler.private detectSecrets(file: CodeFile): SecurityIssue[] { const issues: SecurityIssue[] = []; const lines = file.content.split('\n'); // Common secret patterns const secretPatterns = [ { pattern: /(?:password|passwd|pwd)\s*[=:]\s*["']([^"']+)["']/gi, type: 'password' as const, severity: 'critical' as const, }, { pattern: /(?:api[_-]?key|apikey)\s*[=:]\s*["']([^"']+)["']/gi, type: 'api_key' as const, severity: 'critical' as const, }, { pattern: /(?:secret|token)\s*[=:]\s*["']([^"']+)["']/gi, type: 'secret' as const, severity: 'high' as const, }, { pattern: /(?:aws[_-]?access[_-]?key|aws[_-]?secret)\s*[=:]\s*["']([^"']+)["']/gi, type: 'aws_credentials' as const, severity: 'critical' as const, }, { pattern: /(?:private[_-]?key|ssh[_-]?key)\s*[=:]\s*["']([^"']+)["']/gi, type: 'private_key' as const, severity: 'critical' as const, }, ]; for (let i = 0; i < lines.length; i++) { const line = lines[i]; for (const { pattern, type, severity } of secretPatterns) { if (pattern.test(line)) { issues.push({ type: 'secret', severity, location: `${file.path}:${i + 1}`, description: `Potential hardcoded ${type} detected`, recommendation: 'Move secrets to environment variables or secure configuration', detectedAt: new Date(), }); } } } return issues; }