No credentials in repo

Severity: Critical

Check for committed .env files (not .env.example):

git ls-files | grep -E "^\.env$|\.env\.local|\.env\.production"

Scan for potential secrets patterns:

# API keys with values
grep -r -E "(API_KEY|SECRET|PASSWORD|TOKEN|PRIVATE_KEY)=['\"]?[A-Za-z0-9+/=]{16,}" --include="*" . 2>/dev/null

# AWS keys
grep -r -E "AKIA[0-9A-Z]{16}" . 2>/dev/null

# Private keys
grep -r -l "BEGIN RSA PRIVATE KEY\|BEGIN OPENSSH PRIVATE KEY\|BEGIN EC PRIVATE KEY" . 2>/dev/null

# Common secret file names
git ls-files | grep -iE "(credentials|secrets|\.pem|\.key|id_rsa)"

Exception: Sandbox/development keys are OK:

• Keys in .env.example, .env.development, or .env clearly marked as sandbox
• Test/mock API keys (e.g., Stripe test keys starting with sk_test_)
• Local development credentials (e.g., postgres://dev:dev@localhost)
• Keys with obvious placeholder values (xxx, changeme, your-key-here)

Use secret scanning tools if available:

gitleaks detect --source . 2>/dev/null
trufflehog filesystem . 2>/dev/null

Check git history (secrets may have been removed but still in history):

git log --all --full-history -p | grep -E "AKIA[0-9A-Z]{16}" | head -5

Pass criteria:

• No production secrets in current files
• No production secrets in git history
• Any committed keys are clearly sandbox/test only

Fail criteria:

• Production secrets in repository
• Production secrets in git history
• Ambiguous keys that might be production

If secrets found, ask user: "Found credentials in [location]. Are these sandbox/development keys only, or production credentials?"

If production secrets found: "CRITICAL: Production secrets detected. These must be rotated immediately - removing from repo is not enough."

Evidence to capture:

• Scan results (tools used, findings)
• Classification of each finding (sandbox vs production)
• User confirmation for any ambiguous keys

---