Improve secrets credential classification

[clynbmilio]

Closes #2760

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: secrets-management
Skill path: skills/devsecops/secrets-management/SKILL.md

What Was Wrong

The skill had two related precision problems:

1. Missing secret-detection tooling could be reported as a Critical finding even when no secret value was present. That conflicted with the skill's own guidance to exclude architecture/control gaps from numbered secret findings.
2. The detection guidance covered AWS AKIA access key IDs and classic GitHub PAT prefixes, but missed common modern credential variants such as AWS STS ASIA temporary credentials and GitHub fine-grained PATs.

What This PR Fixes

• Adds AWS STS ASIA access key ID coverage and aws_session_token guidance.
• Adds GitHub fine-grained PAT prefix coverage.
• Adds credential-set validation guidance so reviewers distinguish standalone identifiers from complete credential bundles.
• Separates actual secret exposure findings from program control gaps in classification and output format.
• Adds provider references for AWS and GitHub token-family behavior.
• Adds a 1.0.2 changelog entry for the skill update.
• Bumps secrets-management from 1.0.1 to 1.0.2.

Evidence

Before: false positive path

name: ci
on: [pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm test

A repo like this has no observed hardcoded secret, but the prior classification could still turn "no secret detection tooling deployed" into a Critical finding.

After: correctly handled

### Secret Detection Tooling Status
- Missing local scanner config: program control gap

### Secret Exposure Findings
- No finding unless an actual secret value is present

Before: missed credential variant

aws_access_key_id = ASIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token = IQoJb3JpZ2luX2VjEExampleOnlyNotARealToken

After: now covered

(?:AKIA|ASIA)[0-9A-Z]{16}
(?:aws_session_token|AWS_SESSION_TOKEN)\s*[=:]\s*[A-Za-z0-9/+=]{20,}

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/)
• Added benign test cases (tests/benign/)
• Existing tests still pass / not applicable: this repository skill is Markdown-only and this change was validated with git diff --check plus before/after examples in the PR body.

Submission Checklist

• Skill follows the format specification in CONTRIBUTING.md.
• Existing framework references remain OWASP Secrets Management and NIST SP 800-57 Part 1 Rev 5.
• Provider references added from AWS and GitHub primary documentation.
• Prompt Injection Safety Notice remains included.
• injection-hardened: true remains set.
• allowed-tools remains scoped to Read, Grep, and Glob.
• No new skill index entry required because this improves an existing skill.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal; payout email can be provided privately after acceptance.

[github-actions]

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).

[clynbmilio]

Opened #2760 per the issue-first policy and updated this PR body with Closes #2760. I will wait for the approved label on the issue before reopening this PR.