API keys, passwords, and tokens have a habit of ending up committed in plain sight — buried in config files, test fixtures, or old migration scripts. Ask Claude to hunt them down before they reach your remote.
git diff HEAD~50..HEAD | claude -p "Review this diff for any hardcoded
secrets, API keys, passwords, tokens, or credentials. List each
occurrence with the file and line number."
For a full historical scan, you can pipe a broader range of commits or ask Claude to audit specific directories:
cat src/config/*.php | claude -p "Identify any hardcoded credentials,
connection strings, or secrets in these config files. Flag anything
that should be moved to an environment variable."
Claude knows the patterns: sk-, AKIA, Bearer , password =, base64-encoded strings in odd places, and framework-specific config keys like Laravel's DB_PASSWORD set inline.
It will also suggest the .env variable name to use as a replacement and flag if the value appears to already exist in a .env.example without a real value.
One pre-push audit can prevent a secret rotation at 2am — pipe your diff to Claude before every deploy.
Log in to leave a comment.
The /security-review command scans your uncommitted changes for injection vectors, auth gaps, hardcoded secrets, and other common vulnerabilities.
The SessionStart hook fires when any session begins or resumes, making it ideal for loading environment variables and running one-time setup scripts.
Ask Claude to write property-based tests for your functions using fast-check — it identifies the mathematical invariants in your code and generates tests that cover inputs you'd never enumerate by hand.