API keys, passwords, and tokens have a habit of ending up committed in plain sight — buried in config files, test fixtures, or old migration scripts. Ask Claude to hunt them down before they reach your remote.
git diff HEAD~50..HEAD | claude -p "Review this diff for any hardcoded
secrets, API keys, passwords, tokens, or credentials. List each
occurrence with the file and line number."
For a full historical scan, you can pipe a broader range of commits or ask Claude to audit specific directories:
cat src/config/*.php | claude -p "Identify any hardcoded credentials,
connection strings, or secrets in these config files. Flag anything
that should be moved to an environment variable."
Claude knows the patterns: sk-, AKIA, Bearer , password =, base64-encoded strings in odd places, and framework-specific config keys like Laravel's DB_PASSWORD set inline.
It will also suggest the .env variable name to use as a replacement and flag if the value appears to already exist in a .env.example without a real value.
One pre-push audit can prevent a secret rotation at 2am — pipe your diff to Claude before every deploy.
Log in to leave a comment.
Set up Claude Code as an automated reviewer in your CI pipeline — on every pull request, it reads the diff, checks for bugs, security issues, missing tests, and convention violations, then posts its findings as a PR comment. Your human reviewers get a head start because the obvious issues are already flagged before they look.
Before deploying, tell Claude to read your project — migrations, environment variables, queue workers, scheduled tasks, caching, third-party integrations — and generate a deployment checklist that's specific to your app. Not a generic "did you run migrations?" list, but one that knows YOUR infrastructure and catches the things YOUR deploy can break.
Instead of writing a README from memory or copying a template, tell Claude to read your project and generate one that's actually accurate — real setup instructions from your config, real architecture from your directory structure, real API examples from your routes, and real prerequisites from your dependency files.