Skip to content

New hook: secrets-scanner#1002

Open
ShehabSherif0 wants to merge 1 commit intogithub:stagedfrom
ShehabSherif0:add-secrets-scanner-hook
Open

New hook: secrets-scanner#1002
ShehabSherif0 wants to merge 1 commit intogithub:stagedfrom
ShehabSherif0:add-secrets-scanner-hook

Conversation

@ShehabSherif0
Copy link

@ShehabSherif0 ShehabSherif0 commented Mar 13, 2026
edited
Loading

Pull Request Checklist

  • I have read and followed the CONTRIBUTING.md guidelines.
  • I have read and followed the Guidance for submissions involving paid services.
  • My contribution adds a new instruction, prompt, agent, skill, or workflow file in the correct directory.
  • The file follows the required naming convention.
  • The content is clearly structured and follows the example format.
  • I have tested my instructions, prompt, agent, skill, or workflow with GitHub Copilot.
  • I have run npm start and verified that README.md is up to date.

Description

Adds a new secrets-scanner hook that scans files modified during a Copilot coding agent session for accidentally leaked credentials, API keys, and sensitive data. The hook runs at sessionEnd and can operate in warn mode (log and continue) or block mode (exit non-zero to prevent auto-commit).

AI coding agents generate and modify code rapidly, which increases the risk of hardcoded secrets slipping into a codebase. This hook acts as a last-resort safety net at the end of each session.

What it does

The scanner checks all modified text files against 20+ regex patterns for known secret formats before the session closes:

  • Cloud credentials: AWS access keys (AKIA...), GCP service account JSON, Azure client secrets
  • Platform tokens: GitHub PATs (ghp_, gho_, ghs_, ghr_, github_pat_), npm tokens, Stripe live keys, Slack tokens, SendGrid API keys, Discord tokens, Twilio API keys
  • Private key blocks: RSA, EC, OpenSSH, DSA, PGP
  • Connection strings: PostgreSQL, MongoDB, MySQL, Redis, MSSQL, AMQP URIs
  • Generic secrets: assignments matching api_key =, password =, client_secret =, etc.
  • Structured tokens: JWTs (eyJ...), bearer tokens
  • Internal infrastructure: private IP addresses with ports (10.x, 172.16-31.x, 192.168.x)

Key capabilities

  • Two modes: SCAN_MODE=warn (log findings, exit 0) or SCAN_MODE=block (exit non-zero, stops auto-commit)
  • Two scopes: SCAN_SCOPE=diff (uncommitted changes vs HEAD) or SCAN_SCOPE=staged (git-staged files only)
  • Smart filtering: Skips binary files, lock files (package-lock.json, yarn.lock, go.sum, etc.), and placeholder values (your_password_here, changeme, example)
  • Allowlist: SECRETS_ALLOWLIST=pattern1,pattern2 suppresses known false positives
  • Redacted logging: Findings write first4...last4 of each match to JSONL; secrets are never fully re-exposed in logs
  • Zero dependencies: Requires only bash, git, grep, and file; no external tools needed

Files

  • hooks/secrets-scanner/README.md: Full documentation with installation guide, configuration reference, pattern table, example output, and log format
  • hooks/secrets-scanner/hooks.json: Hook configuration (sessionEnd, defaults to SCAN_MODE=warn, SCAN_SCOPE=diff, 30s timeout)
  • hooks/secrets-scanner/scan-secrets.sh: Scanner script (~270 lines of bash)
  • docs/README.hooks.md: Updated automatically by npm run build (hook count: 3 to 4)

Validation

  • npm run build passes; docs/README.hooks.md updated with the new hook entry
  • npm run skill:validate passes (all 222 skills valid)
  • Functional testing completed:
    • Correctly detects AWS keys, GitHub PATs, Stripe keys, Slack tokens, SendGrid keys, JWTs, npm tokens, connection strings
    • Correctly skips placeholder values (your_password_here, changeme)
    • SCAN_MODE=warn: lists findings, exits 0
    • SCAN_MODE=block: lists findings, exits 1 with "Session blocked" message
    • Clean files: prints "No secrets detected", exits 0
  • Line endings are LF throughout

Type of Contribution

  • New instruction file.
  • New prompt file.
  • New agent file.
  • New plugin.
  • New skill file.
  • New agentic workflow.
  • Update to existing instruction, prompt, agent, plugin, skill, or workflow.
  • Other (please specify): New hook (hooks/secrets-scanner)

Additional Notes

This hook pairs well with the existing Session Auto-Commit hook. When both are installed, the secrets scanner runs first at sessionEnd and blocks the auto-commit if secrets are detected (when SCAN_MODE=block).

All patterns use POSIX ERE (grep -E) syntax with no PCRE metacharacters, ensuring portability across macOS and Linux.

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

Copilot AI review requested due to automatic review settings March 13, 2026 04:31
Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Secrets Scanner hook intended to detect hardcoded secrets in files modified during a Copilot coding agent session, with optional blocking behavior and structured logging.

Changes:

  • Introduces a bash-based secrets scanning hook (scan-secrets.sh) with pattern matching, allowlisting, and JSONL logging.
  • Adds hook documentation and configuration (README.md, hooks.json) for installation and usage.
  • Registers the new hook in the hooks catalog (docs/README.hooks.md).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File Description
hooks/secrets-scanner/scan-secrets.sh Implements the secrets scanning logic, file selection by scope, and JSONL logging of findings.
hooks/secrets-scanner/README.md Documents purpose, installation, configuration, patterns, and example output.
hooks/secrets-scanner/hooks.json Provides default sessionEnd hook configuration for the secrets scanner.
docs/README.hooks.md Adds the Secrets Scanner entry to the repository’s hooks index.

You can also share your feedback on Copilot code review. Take the survey.

@ShehabSherif0 ShehabSherif0 requested a review from Copilot March 13, 2026 04:50
Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Secrets Scanner hook to the repository’s hooks collection, intended to scan modified (or staged) files at Copilot session end for common secret/token patterns and optionally block the session on findings.

Changes:

  • Introduces a new secrets-scanner hook (script + hooks.json) that scans changed files for secret-like regex matches and logs JSONL output.
  • Adds hook documentation (README with configuration, usage, and examples).
  • Registers the new hook in docs/README.hooks.md.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File Description
hooks/secrets-scanner/scan-secrets.sh Implements the secrets scanning logic, allowlist handling, and JSONL logging.
hooks/secrets-scanner/README.md Documents installation, configuration, detected patterns, and log format.
hooks/secrets-scanner/hooks.json Hook configuration to run the scanner on sessionEnd.
docs/README.hooks.md Adds the Secrets Scanner entry to the hooks index table.

You can also share your feedback on Copilot code review. Take the survey.

@ShehabSherif0 ShehabSherif0 force-pushed the add-secrets-scanner-hook branch from f7322b2 to 63f18ae Compare March 13, 2026 05:03
@ShehabSherif0 ShehabSherif0 requested a review from Copilot March 13, 2026 05:06
Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Secrets Scanner hook to help prevent accidental credential/secrets leaks during GitHub Copilot coding agent sessions by scanning modified files at sessionEnd.

Changes:

  • Introduces a bash-based secrets scanning hook with configurable scan mode/scope and JSONL logging.
  • Adds hook documentation and an example hooks.json configuration.
  • Registers the new hook in the hooks index documentation.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
hooks/secrets-scanner/scan-secrets.sh Implements the secrets scanning logic, filtering, and structured logging.
hooks/secrets-scanner/README.md Documents installation, configuration, detected patterns, and output/log formats.
hooks/secrets-scanner/hooks.json Provides the hook configuration for running at sessionEnd.
docs/README.hooks.md Adds Secrets Scanner to the hooks catalog table.

You can also share your feedback on Copilot code review. Take the survey.

@ShehabSherif0 ShehabSherif0 force-pushed the add-secrets-scanner-hook branch from 63f18ae to a5d5215 Compare March 13, 2026 05:15
@ShehabSherif0 ShehabSherif0 requested a review from Copilot March 13, 2026 05:20
Copilot AI reviewed Mar 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Secrets Scanner Copilot hook that scans modified/staged files at sessionEnd for common credential/secret patterns and optionally blocks the session when findings are detected, plus documentation and index listing updates.

Changes:

  • Introduces scan-secrets.sh hook script with pattern-based detection, allowlisting, redacted output, and JSONL logging.
  • Adds hook documentation (README.md) and sample hook configuration (hooks.json).
  • Registers the new hook in docs/README.hooks.md.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
hooks/secrets-scanner/scan-secrets.sh Implements the secrets scanning logic, logging, and block/warn behavior.
hooks/secrets-scanner/README.md Documents installation, configuration, patterns, and log format for the hook.
hooks/secrets-scanner/hooks.json Provides hook configuration to run the scanner at sessionEnd.
docs/README.hooks.md Adds the Secrets Scanner entry to the hooks index.

You can also share your feedback on Copilot code review. Take the survey.

@ShehabSherif0 ShehabSherif0 force-pushed the add-secrets-scanner-hook branch from a5d5215 to 20f7435 Compare March 13, 2026 05:28
@ShehabSherif0
New hook: secrets-scanner
7318b1c 
Add a secrets-scanner hook that scans files modified during a Copilot
coding agent session for leaked secrets, credentials, and sensitive data.

The hook runs on sessionEnd and inspects files in one of three scopes:
- diff: only files changed in the current session (default)
- staged: only files currently staged in the git index
- all: every tracked file in the repository

Detected pattern categories:
- AWS access keys and secret keys
- GCP service account credentials
- Azure client secrets and storage connection strings
- GitHub personal access tokens
- Slack tokens (bot, user, webhook)
- Private key headers (RSA, EC, DSA, OpenSSH, PEM)
- Generic high-entropy bearer tokens
- Internal IP:port strings

Configurable via environment variables (SCAN_MODE, SCAN_SCOPE,
SECRETS_ALLOWLIST) so teams can tune for their workflow without
editing the script. Patterns are POSIX ERE (grep -E) compatible,
with no PCRE metacharacters, for portability across macOS and Linux.

Files: hooks.json, scan-secrets.sh, README.md
@ShehabSherif0 ShehabSherif0 force-pushed the add-secrets-scanner-hook branch from 20f7435 to 7318b1c Compare March 13, 2026 05:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@aaronpowell aaronpowell Awaiting requested review from aaronpowell aaronpowell is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ShehabSherif0