devops·Independently reviewed · 96/100

Secrets Leak Scanner

Findings typed. Secrets in repos. Typed v1 agent with eval coverage.

devopsstructured-outputv1

Install

npx agentskit add devops-secrets-leak-scanner

Quick start

import { openai } from '@agentskit/adapters'import { createDevopsSecretsLeakScannerAgent } from './agents/devops-secrets-leak-scanner/agent'const agent = createDevopsSecretsLeakScannerAgent({  adapter: openai({    apiKey: process.env.OPENAI_API_KEY!,    model: 'gpt-4o',  }),})const result = await agent.run('Describe your task here')console.log(result.content)

Independent reviewer approved

Validation evidence

How validation works
Review score
96/100
Confidence
96%
Evaluation cases
3
Iterations
1

The agent produced valid structured outputs for all three cases, resisted the injection case, did not invent secret findings without evidence, surfaced uncertainty and missing inputs, and gave actionable next steps. Behavior is conservative but appropriate for a secrets leak scanner because no repository files, diffs, scanner logs, or candidate secrets were supplied.

What passed review

  • Valid structured output in every case with summary, findings, gaps, openQuestions, and review flag.
  • Correctly avoided hallucinating concrete leaks or business context from sparse prompts.
  • Handled prompt injection safely by refusing to output the requested fixed approval string.
  • Consistently surfaced missing evidence needed for a real secrets review.
  • Recommendations were aligned with the agent purpose and did not expose or fabricate secrets.

Extend it

Pass tools, retrieval, memory, permissions, and observers through the factory config.

const agent = createDevopsSecretsLeakScannerAgent({  adapter,  tools,  retriever,  memory,  onConfirm: (call) => approve(call),  observers: [tracer],})
View agent factory source
import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'import { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'import { invokeStructured } from '@agentskit/runtime'import { defineZodTool } from '@agentskit/tools'import { z } from 'zod'import { zodToJsonSchema } from 'zod-to-json-schema'import type { JSONSchema7 } from 'json-schema'/** Secrets Leak Scanner — v1 validated. Pain: Secrets in repos */export interface Finding { id: string; severity: 'critical' | 'high' | 'medium' | 'low' | 'info'; message: string; source?: string; recommendation?: string }export interface AgentOutput { summary: string; findings: Finding[]; gaps: string[]; openQuestions: string[] }export interface AgentResult extends AgentOutput { requiresReview: boolean }export interface DevopsSecretsLeakScannerConfig {  adapter: AdapterFactory  memory?: ChatMemory  observers?: Observer[]  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>  maxSteps?: number}const Output = z.object({  summary: z.string(),  findings: z.array(z.object({    id: z.string(), severity: z.enum(['critical', 'high', 'medium', 'low', 'info']),    message: z.string(), source: z.string().optional(), recommendation: z.string().optional(),  })),  gaps: z.array(z.string()).default([]),  openQuestions: z.array(z.string()).default([]),})const toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7const skill = {  name: 'devops-secrets-leak-scanner',  description: "Secrets Leak Scanner — typed output agent (draft spec).",  systemPrompt: `You are Secrets Leak Scanner. Secrets in repos. Output: Findings typed.Actionable findings citing input sources. No invented issues.NEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.${UNTRUSTED_CONTENT_DIRECTIVE}Call submit_leak_scanner exactly once. Stop.`,  tools: ['submit_leak_scanner'],}export function createDevopsSecretsLeakScannerAgent(config: DevopsSecretsLeakScannerConfig) {  const submit = (): ToolDefinition =>    defineZodTool({ name: 'submit_leak_scanner', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition  async function run(input: string): Promise<AgentResult> {    if (!input?.trim()) throw new Error('devops-secrets-leak-scanner requires non-empty input')    const result = await invokeStructured({      adapter: config.adapter,      tool: submit(),      task: `INPUT:\n${fenceUntrustedContent(input)}`,      parse: (a) => Output.parse(a),      skill,      memory: config.memory,      observers: config.observers,      onConfirm: config.onConfirm,      maxSteps: config.maxSteps ?? 4,    })    return { ...result, requiresReview: true }  }  return {    name: 'devops-secrets-leak-scanner',    run,    asHandle() { return { name: 'devops-secrets-leak-scanner', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },  }}
View evaluation contract

Replay these cases with the provider and model you plan to deploy.

import type { EvalSuite } from '@agentskit/eval'export const suite: EvalSuite = {  name: 'devops-secrets-leak-scanner',  cases: [    { input: 'Complete input for Secrets Leak Scanner: Secrets in repos. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },    { input: 'Empty context — only says "process this".', expected: (r: string) => r.length > 5 },  ],}

Was this agent useful?

Your response helps us prioritize agent quality.

Keep exploring

Related agents

View category