Remove Hardcoded Secrets with AI Prompts

Scan this entire codebase for hardcoded secrets and credentials.

Look for:

1. API keys (patterns: sk_, pk_, api_, key_, apikey, api-key)
2. Database URLs with credentials
3. AWS credentials (AKIA, aws_secret)
4. Private keys and certificates
5. OAuth secrets and tokens
6. JWT secrets
7. Encryption keys
8. Passwords in any form
9. Connection strings
10. Webhook secrets

For each secret found:

1. File path and line number
2. What type of secret it is
3. Whether it appears to be a real secret or a placeholder
4. The environment variable name it should use

Output as a prioritized list with most critical secrets first.

Replace all hardcoded secrets with environment variables.

For each secret I have:

1. Create an appropriate environment variable name
2. Update the code to read from the env var
3. Add the variable to .env.example with a placeholder
4. Add validation to ensure the env var is set

Naming convention:

• SERVICE_TYPE_PURPOSE (e.g., STRIPE_SECRET_KEY, DATABASE_URL)
• Use UPPERCASE with underscores

Also:

• Group related variables together
• Add comments explaining what each variable is for
• Create separate sections for required vs optional vars

Make sure the code fails clearly if required secrets are missing rather than failing silently later.

Help me check if secrets exist in my git history and remove them.

First, help me search git history:

1. Commands to search for secret patterns in all commits
2. How to find when a secret was first committed
3. How to see all files that ever contained secrets

Then, if secrets are found:

1. Explain the risks of secrets in git history
2. Provide options: BFG Repo-Cleaner vs git filter-branch
3. Give step-by-step commands for the safer option
4. Explain what happens to existing clones/forks

Important considerations:

• Impact on collaborators
• Need to force-push (coordinate with team)
• Secrets still need to be rotated regardless

Give me the exact commands to remove secrets from git history using BFG Repo-Cleaner.

My situation:

• The secrets I need to remove are: list your secrets
• The files containing secrets were: list files

I need:

1. How to install BFG
2. Commands to create a backup first
3. Commands to remove the specific secrets
4. Commands to clean up and force push
5. What to tell collaborators to do with their clones

Also explain:

• Why BFG is safer than git filter-branch
• How to verify the secrets are actually gone
• What to do if the repo has forks

Set up safeguards to prevent hardcoded secrets in the future.

Implement:

1. Pre-commit hooks to scan for secrets
2. CI/CD checks that fail on detected secrets
3. IDE/editor plugins for real-time detection
4. Code review guidelines for the team

Create:

1. .pre-commit-config.yaml with secret detection
2. GitHub Actions workflow for PR scanning
3. Documentation for the team on proper secret handling
4. A checklist for code reviewers