git-secrets-scanner_skill

This skill scans git commits for sensitive data leaks and helps you quickly identify and remediate API keys, passwords, and tokens.
  • Python

2.6k

GitHub Stars

3

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill git-secrets-scanner

  • _meta.json298 B
  • package.json236 B
  • SKILL.md4.2 KB

Overview

This skill is a git secrets scanner that detects sensitive information in commits, history, and staged changes. It focuses on API keys, passwords, tokens, private keys, and common secret patterns. The skill recommends and orchestrates tools like Gitleaks, TruffleHog, and git-secrets for local, pre-commit, and CI scanning.

How this skill works

The scanner inspects repository files, commit history, specific commits, and staged changes using configurable rules and regex patterns. It can run quick scans on the current repo, deep scans across all history, and targeted checks on single commits. Integrations include pre-commit hooks and CI actions to automate detection before merge or deployment.

When to use it

  • Before committing code to detect secrets in staged changes
  • When onboarding a repo to scan full history for prior leaks
  • In CI/CD pipelines to block pull requests containing secrets
  • During audits or routine scheduled scans across many repositories
  • After a suspected compromise to locate leaked keys in history

Best practices

  • Enable pre-commit scanning (git-secrets or gitleaks protect) to catch issues early
  • Run full-history scans after adding the tool to an existing repo to uncover past leaks
  • Automate weekly or nightly scans for large codebases and multi-repo environments
  • Use allowlists and custom rules to reduce false positives and tune entropy thresholds
  • Revoke and rotate any discovered keys immediately and remove them from git history with tools like BFG

Example use cases

  • Block merge when a developer accidentally commits an API key by using a pre-commit gitleaks check
  • Scan all company repositories in a cron job to find leaked secrets introduced months ago
  • Integrate gitleaks action into GitHub Actions to fail PRs that introduce high-risk tokens
  • Use TruffleHog to validate whether discovered secrets are live and need immediate revocation
  • Create a custom gitleaks config to detect proprietary API key formats (example: moltbook_sk_... )

FAQ

Use Gitleaks for fast, general-purpose scanning and CI integration. Use TruffleHog when you need validation of secrets. Use git-secrets to enforce AWS-related rules via pre-commit hooks.

How do I remediate a discovered secret?

Revoke or rotate the exposed credential, remove it from history (BFG or git-filter-repo), force-push the cleaned branch cautiously, and notify affected teammates and systems.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational