How It Works¶
The Leash Secrets Protocol¶
Every time your AI agent writes, edits, or reviews code, leash-secrets runs a four-step protocol:
graph TD
A[Agent writes code] --> B[1. SCAN<br/>Check every line against<br/>71 regex patterns]
B --> C[2. CLASSIFY<br/>Critical / Warning / Safe]
C --> D{Severity?}
D -->|🔴 Critical| E[3. BLOCK<br/>Stop immediately<br/>Show warning block<br/>Provide specific fix]
D -->|🟡 Warning| F[3. WARN<br/>Flag inline<br/>Ask user to confirm]
D -->|🟢 Safe| G[3. PASS<br/>Continue silently]
E --> H[4. FIX<br/>Replace with env var<br/>Update .env.example<br/>Update .gitignore]
F --> H Step 1: SCAN¶
The agent checks every line of code it writes or touches against 71 specific regex patterns. These patterns match known secret formats:
| Pattern Type | Example |
|---|---|
| AWS Access Key | AKIA followed by 16 alphanumeric characters |
| GitHub PAT | ghp_ followed by 36 alphanumeric characters |
| Stripe Live Key | sk_live_ followed by 24+ alphanumeric characters |
| Private Key | -----BEGIN RSA PRIVATE KEY----- |
| OpenAI Key | sk-proj- followed by 80+ characters |
This is not fuzzy matching. Each pattern targets a specific, documented secret format.
Step 2: CLASSIFY¶
Each match is classified by severity:
| Severity | Criteria | Action |
|---|---|---|
| 🔴 Critical | Matches a known key prefix (sk-, AKIA, ghp_), PEM header, or connection string with non-placeholder password | Block the agent |
| 🟡 Warning | Generic variable name (API_KEY, SECRET) with a long string value | Flag and ask |
| 🟢 Safe | Clearly a placeholder (your-key-here, changeme, sk_test_) | Continue |
Step 3: ACT¶
Critical findings produce a structured warning block:
⛔ LEASH-SECRETS — SECRET DETECTED
━━━━━━━━━━━━━━━━━━━━━━━━━
Type: [what kind of secret]
File: [where it is]
Value: [redacted — first 6 + last 4 chars]
Risk: [what an attacker can do]
━━━━━━━━━━━━━━━━━━━━━━━━━
FIX: [specific remediation]
The agent stops writing and waits for acknowledgment.
Step 4: FIX¶
For every detected secret, leash-secrets provides a language-appropriate fix:
- Replace the hardcoded value with an environment variable
- Add the variable to
.env.examplewith a placeholder - Ensure
.envis in.gitignore - Suggest the appropriate secret manager for the stack
Architecture¶
┌──────────────────────────────────────────────────────┐
│ Your AI Agent │
│ (Cursor, Claude Code, Codex, Copilot, etc.) │
├──────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────────┐ ┌──────────────────────┐ │
│ │ leash-secrets skill │──│ Pattern Library │ │
│ │ (markdown) │ │ (71 JSON patterns) │ │
│ └──────────┬──────────┘ └──────────────────────┘ │
│ │ │
│ ┌──────────┴──────────┐ │
│ │ Leash Secrets │ │
│ │ Protocol │ │
│ │ SCAN → CLASSIFY → │ │
│ │ ACT → FIX │ │
│ └─────────────────────┘ │
│ │
├──────────────────────────────────────────────────────┤
│ Pre-commit Hook (backup safety net) │
└──────────────────────────────────────────────────────┘
Leash Secrets is a prompt-based skill. It lives inside your agent's context window as a set of instructions. No external server, no API calls, no binary dependencies. The agent itself is the detection engine — leash-secrets tells it what to look for and how to respond.
Defense in Depth¶
Leash Secrets is designed to work alongside existing security tools:
| Layer | Tool | When It Catches Secrets |
|---|---|---|
| 1. Creation | leash-secrets | While the AI writes code |
| 2. Commit | leash-secrets pre-commit hook | Before git commit completes |
| 3. Push | GitHub Secret Scanning | When pushed to GitHub |
| 4. Audit | truffleHog, gitleaks | Scanning existing repos and history |
Use all layers for maximum protection.