2.6k
GitHub Stars
3
Bundled Files
2 months ago
Catalog Refreshed
3 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill doro-git-secrets-scanner- _meta.json299 B
- package.json236 B
- SKILL.md4.2 KB
Overview
This skill is a Git security scanner that detects sensitive information in commits and repository history, such as API keys, passwords, tokens, and private keys. It wraps popular tools and patterns (Gitleaks, TruffleHog, git-secrets) and provides practical commands, configs, and remediation steps to find and remove leaked secrets quickly.
How this skill works
The scanner inspects working trees, commit ranges, and full repository history using regex rules, entropy checks, and optional live validation. It can run locally, as pre-commit hooks, or in CI pipelines and produces structured findings with file, line, commit, and fingerprint details. Custom rules and allowlists are supported for tailored scanning.
When to use it
- Before committing code: run staged-file scans to catch secrets pre-commit.
- On pull requests and pushes: integrate into CI to prevent secrets from entering main branches.
- When onboarding a new repo: scan full history to detect legacy leaks.
- During incident response: identify commits and files that contain leaked keys.
- Regular audits: schedule weekly or nightly scans across multiple repositories.
Best practices
- Use Gitleaks for fast, default scanning and add custom rules in .gitleaks.toml.
- Install git-secrets as a pre-commit hook to block common patterns at commit time.
- Keep fetch-depth 0 in CI to allow full-history scans when required.
- Treat findings as potentially valid: revoke exposed keys immediately and rotate credentials.
- Maintain an allowlist for false positives and tune regex/entropy thresholds.
Example use cases
- CI security job: run gitleaks action on pull requests to prevent secrets from merging.
- Pre-commit protection: install git-secrets to scan staged changes locally.
- Repository audit: run gitleaks detect --log-opts='--all' to scan entire history for leaks.
- Bulk scanning: loop through project directories to run automated nightly scans.
- Post-leak cleanup: use BFG to remove sensitive files or replace secrets from history.
FAQ
Start with Gitleaks for broad coverage and speed, add git-secrets for pre-commit blocking, and use TruffleHog when you need validation of suspected secrets.
How do I handle false positives?
Add patterns or paths to the allowlist, tune regex rules and entropy thresholds, and validate each finding before revoking credentials.