scan_secrets
Scan a directory for hardcoded secrets and credentials, including those deleted from source but still present in git commit history.
Instructions
Detect hardcoded secrets and credentials in a directory. Runs the built-in custom scanner (no extra tools). When include_git_history is true, also scans past git commits for secrets removed from the working tree but still in history — recommended before push/PR. Uses git_history (built-in) and gitleaks (when installed).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| path | Yes | Absolute or relative path to the project directory to scan. | |
| include_git_history | No | Scan git commit history, not just current files. Finds secrets deleted from source but still in old commits. | |
| severity_threshold | No | Minimum severity to include in results (default: info — all severities). |