← Back to catalog
HookSecurity↓ 531

Secret Scanner

Detects hardcoded API keys and credentials in your code before the commit.

Installation
npx claude-code-templates@latest --hook security/secret-scanner --yes

This hook fires on the PreToolUse event, examining git commands before the commit. It scans the changes for hardcoded secrets.

It recognizes patterns from over 30 providers, such as Anthropic, OpenAI, AWS, Stripe, Google and GitHub, plus tokens, passwords, private keys and database credentials. If it finds something, it blocks the commit and suggests using environment variables.

When to use

  • When you want to keep keys from leaking into the repository history.
  • When the project is public or has CI that fails on exposed secrets.

How to use

After installing, it runs on every commit automatically. If a secret is detected, move it to an environment variable and try again.