qa-secrets
Secrets scanning + rotation: 5 skills (gitleaks-scanning, kingfisher-scanning, secrets-baseline-manager, secrets-rotation-runner, trufflehog-scanning) and 1 agent (secrets-finding-triager). Covers detection AND rotation workflow (git-history scrub doesn't fix the leak).
Install this plugin
/plugin install qa-secrets@testland-qaPart of role bundle: qa-role-security
qa-secrets
Secrets scanning + rotation. Three per-tool scanner skills (gitleaks, TruffleHog, Kingfisher - covering the OSS leader, the high-precision validator, and the modern Rust + 950-rule alternative) plus a build-an-X workflow skill for the rotation step that follows detection (because git-history scrub does NOT fix a leak - the secret IS exposed).
Covers the universal pre-commit + repo-history hygiene gap.
Components
| Type | Name | Description |
|---|---|---|
| Skill | gitleaks-scanning | Go-based scanner; gitleaks git/dir/stdin (v8.19+); .gitleaks.toml rules + allowlists; pre-commit + GHA + baseline |
| Skill | trufflehog-scanning | Rust-based with live verification via provider API calls; multi-source (git/github/gitlab/filesystem/s3/docker/gcs/postman); --results=verified filter |
| Skill | kingfisher-scanning | MongoDB-built Rust scanner with Intel Hyperscan + 950 rules + live validation + checksum verification + cloud access mapping |
| Skill | secrets-rotation-runner | Build-an-X for rotation workflow after detection: identify provider → two-secret rotation → audit → invalidate → post-mortem → add detection rule |
| Agent | secrets-finding-triager | Adversarial unifier of gitleaks + TruffleHog + Kingfisher JSON; dedupes by (file, line, secret-class); enforces waivers with expires: + approved_by: + reason:; emits BLOCK/PASS verdict |
| Skill | secrets-baseline-manager | Unified secrets baseline/allowlist management across gitleaks, trufflehog, kingfisher (waiver lifecycle). |
Install
/plugin marketplace add testland/qa
/plugin install qa-secrets@testland-qaSkills
gitleaks-scanning
Configures and runs gitleaks - Go-based secret scanner with `gitleaks git` (scan local git via `git log -p`), `gitleaks dir` (filesystem), `gitleaks stdin` (pipe); 100+ built-in rules + custom rules in `.gitleaks.toml` ([[rules]] with regex / entropy / keywords / tags); allowlist via [[rules.allowlists]] (commits / paths / stopwords); pre-commit hook + GitHub Action integration; baseline file for legacy debt. Use when the team needs OSS secret scanning at commit time + CI gate.
kingfisher-scanning
Configures and runs Kingfisher for secret scanning with access mapping: discovers leaked credentials AND maps them to the IAM identities and cloud resources they expose (S3 buckets, RDS instances, etc.); Intel Hyperscan regex engine makes it the fastest option for large monorepos; 950 built-in rules (largest of the OSS scanners); multi-target (local files / Git history / GitHub / GitLab / AWS S3 / Docker images); live API validation plus offline checksum verification; suppression via `--skip-regex` / `--skip-word` / `--baseline-file` / inline `kingfisher:ignore`. Use when cloud-blast-radius context matters or scan time on a large repo is blocking. Front-loads access-mapping and Hyperscan speed to differentiate from trufflehog-scanning, which also does multi-target scanning and live validation but offers no IAM access mapping.
secrets-baseline-manager
Builds and maintains a unified secrets baseline/allowlist across gitleaks (.gitleaksignore + --baseline-path), TruffleHog (--results=verified filter + trufflehog:ignore), and Kingfisher (--baseline-file + --exclude/--skip-* flags); adopts legacy findings without blocking PRs; enforces a waiver lifecycle (expires + approved_by + reason) stored in .secrets-waivers.yaml; prevents baseline rot via quarterly audit + expiry enforcement. Use when onboarding secrets scanning onto a repo that already has historical findings, or when per-scanner ignore configs have drifted out of sync and need consolidating into one governed allowlist.
secrets-rotation-runner
Build-an-X for the secret-rotation workflow after detection - detect via gitleaks/trufflehog/kingfisher → identify provider via verifier → rotate via provider API (AWS IAM / GitHub PAT / Stripe / GCP / Azure / Twilio / Slack / etc.) → invalidate old secret → audit log via observability stack → post-mortem cross-ref. Use when a secret is detected in code (or proactively for periodic rotation) - assume git-history scrub does NOT prevent compromise.
trufflehog-scanning
Configures and runs TruffleHog v3 - secret scanner with **live verification** (validates discovered secrets against provider APIs to confirm actual exposure vs entropy false positive); supports per-source subcommands (`git`, `github`, `gitlab`, `filesystem`, `s3`, `docker`, `gcs`, `postman`); `--results=verified` filter for high-precision output; `--exclude-detectors=TYPE` for noise reduction; exits 183 on findings via `--fail`. Use when the team needs verified secret findings (low false-positive rate) or scans across cloud + repo + container surfaces.