Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.
Self-Evolving Skill: This skill improves through use. If instructions are wrong, parameters drifted, or a workaround was needed — fix this file immediately, don't defer. Only update for real, reproducible issues.
Use this skill when the user mentions:
# Preflight — verify all tools installed and configured
uv run --python 3.13 --script scripts/preflight.py -- .
# Full audit (all 9 tools, preflight + both outputs)
uv run --python 3.13 --script scripts/audit_hardcodes.py -- src/
# Individual tools (all respect .gitignore):
# Python credential detection (passwords, tokens, API keys in variable names)
uv run --python 3.13 --script scripts/run_bandit.py -- src/
# Entropy-based secret detection (catches secrets regex can't)
uv run --python 3.13 --script scripts/run_trufflehog.py -- src/
# Config file secrets (YAML, JSON, Dockerfile, .env, .properties)
uv run --python 3.13 --script scripts/run_whispers.py -- src/
# AST-based hardcode detection (numeric args, URLs, paths, sleep)
uv run --python 3.13 --script scripts/run_ast_grep.py -- src/
# Python magic numbers only (fastest)
uv run --python 3.13 --script scripts/run_ruff_plr.py -- src/
# Pattern-based detection (URLs, ports, paths, sleep, circuit breaker)
uv run --python 3.13 --script scripts/run_semgrep.py -- src/
# Env-var coverage audit (BaseSettings cross-reference)
uv run --python 3.13 --script scripts/audit_env_coverage.py -- src/
# Copy-paste detection
uv run --python 3.13 --script scripts/run_jscpd.py -- src/
# Regex-based secret scanning (API keys, tokens, passwords)
uv run --python 3.13 --script scripts/run_gitleaks.py -- src/
| Tool | Detection Focus | Language Support | Speed |
|---|---|---|---|
| Preflight | Tool availability + config validation | N/A | Instant |
| Bandit | Hardcoded passwords, tokens in Python (B105-7) | Python | Fast |
| TruffleHog | Entropy-based secret + API verification | Any (file-based) | Medium |
| Whispers | Config file secrets (YAML, JSON, Docker, .env) | Config files | Medium |
| ast-grep | Hardcoded literals in args, sleep, URLs, paths | Multi-language | Fast |
| Ruff PLR2004 | Magic value comparisons | Python | Fast |
| Semgrep | URLs, ports, paths, credentials, retry config | Multi-language | Medium |
| Env-coverage | BaseSettings cross-reference, coverage gaps | Python | Fast |
| jscpd | Duplicate code blocks | Multi-language | Slow |
| gitleaks | Regex-based secrets, API keys, passwords | Any (file-based) | Fast |
{
"summary": {
"total_findings": 42,
"by_tool": { "ruff": 15, "semgrep": 20, "jscpd": 7 },
"by_severity": { "high": 5, "medium": 25, "low": 12 }
},
"findings": [
{
"id": "MAGIC-001",
"tool": "ruff",
"rule": "PLR2004",
"file": "src/config.py",
"line": 42,
"column": 8,
"message": "Magic value used in comparison: 8123",
"severity": "medium",
"suggested_fix": "Extract to named constant"
}
],
"refactoring_plan": [
{
"priority": 1,
"action": "Create constants/ports.py",
"finding_ids": ["MAGIC-001", "MAGIC-003"]
}
]
}
src/config.py:42:8: PLR2004 Magic value used in comparison: 8123 [ruff]
src/probe.py:15:1: hardcoded-url Hardcoded URL detected [semgrep]
src/client.py:20-35: Clone detected (16 lines, 95% similarity) [jscpd]
Summary: 42 findings (ruff: 15, semgrep: 20, jscpd: 7)
--output {json,text,both} Output format (default: both)
--tools {all,ast-grep,ruff,semgrep,jscpd,gitleaks,env-coverage,bandit,trufflehog,whispers} Tools to run
--severity {all,high,medium,low} Filter by severity (default: all)
--exclude PATTERN Glob pattern to exclude (repeatable)
--no-parallel Disable parallel execution
--skip-preflight Skip tool availability check
code-clone-assistant - PMD CPD-based clone detection (DRY focus)| Issue | Cause | Solution |
|---|---|---|
| Ruff PLR2004 zero output | PLR2004 globally suppressed | Run preflight: uv run --python 3.13 --script scripts/preflight.py -- . |
| Ruff PLR2004 not found | Ruff not installed or old | uv tool install ruff or upgrade |
| ast-grep not found | Binary not installed | cargo install ast-grep or brew install ast-grep |
| Semgrep timeout | Large codebase scan | Use --exclude to limit scope |
| jscpd memory error | Too many files | Increase Node heap: NODE_OPTIONS=--max-old-space-size=4096 |
| gitleaks false positives | Test data flagged | Add patterns to .gitleaks.toml allowlist |
| Env-coverage misses | Not using BaseSettings | Only detects pydantic BaseSettings; other config patterns skipped |
| No findings in output | Wrong directory specified | Verify path exists and contains source files |
| JSON parse error | Tool output malformed | Run tool individually with --output text |
| Missing tool in PATH | Tool not installed globally | Run preflight first, then install missing tools |
| Bandit false positives | password = '' in init |
Filter B105 by confidence: --confidence HIGH |
| TruffleHog timeout | Scanning .venv/node_modules | All tools respect .gitignore; ensure large dirs are gitignored |
| TruffleHog regex error | Glob patterns in .gitignore | Complex globs (**/*.rs.bk) are auto-skipped; only simple names used |
| Whispers slow scan | Large directories | Exclude via .gitignore; whispers config auto-generated from it |
| Whispers zero findings | No config files in scope | Whispers targets YAML/JSON/Docker/INI; use on project root, not src/ |
| Severity filter empty | No findings at that level | Use --severity all to see all findings |
After this skill completes, check before closing:
Only update if the issue is real and reproducible — not speculative.
