Does repo_scanner send any data to external servers?

No. repo_scanner runs entirely on your machine. It reads your local files, applies pattern matching, and returns results — no data is transmitted anywhere.

What types of secrets does it detect?

It detects AWS access keys and secret keys, OpenAI API keys, GitHub personal access tokens, Stripe keys, Slack tokens, private RSA/EC keys in PEM format, database connection strings with embedded credentials, and 40+ other common credential patterns.

Does it scan inside binary files or node_modules?

No. repo_scanner skips binary files, common build artifact directories (node_modules, .git, __pycache__, dist, build), and very large files to keep scans fast and noise-free.

What's a .gitignore gap and why does it matter?

A .gitignore gap means a sensitive file (like .env or credentials.json) exists in your repository directory but isn't listed in .gitignore. If you run git add ., that file could be committed and pushed accidentally. repo_scanner flags these proactively.

A CRITICAL finding appeared — what should I do?

Rotate the credential immediately — assume it's compromised. Then remove it from your codebase. If the secret was ever committed to git, use git filter-repo or BFG Repo Cleaner to purge it from history, then force-push. Finally, add the file pattern to .gitignore.

docs/tools/repo_scanner

AgenticCode

Secret & Repo Scanner MCP Tool

CLI Tool Name: repo_scanner

Scans a directory for leaked secrets, API tokens, private keys, PII (emails, SSNs), and missing .gitignore entries. Everything stays on your machine — no data is transmitted anywhere.

Parameters

Parameter	Type	Required	Description
directory	string	yes	Absolute or relative path to the directory to scan.

What it detects

AWS credentials

Access keys, secret keys, session tokens.

API tokens

OpenAI, GitHub, Stripe, Slack, and 40+ other services.

Private keys

RSA, EC, and PEM-format private key material.

PII

Email addresses, Social Security Numbers, phone numbers.

Database URLs

Connection strings with embedded credentials.

.gitignore gaps

Files that should be ignored but aren't listed.

Example output

json

{
  "directory": "/path/to/project",
  "findings": [
    {
      "type": "secret",
      "severity": "CRITICAL",
      "file": "config/settings.py",
      "line": 8,
      "match": "AWS_SECRET_KEY = 'AKIA...'",
      "message": "Possible AWS secret key detected"
    },
    {
      "type": "gitignore_gap",
      "severity": "WARNING",
      "file": ".env",
      "message": ".env file is not covered by .gitignore"
    }
  ],
  "summary": {
    "critical": 1,
    "warnings": 1,
    "files_scanned": 47
  }
}

[note]

CRITICAL findings mean a real secret was detected. Rotate the credential immediately, then remove it from your codebase and git history.

Explore other AgenticStore MCP tools

→ Python Code Linter MCP Tool → Dependency Vulnerability Scanner MCP Tool → Web Search & Scraper MCP Tool

← python_lint_checker dependency_audit →

Frequently asked questions