- Home
- Skills
- Rohunj
- Claude Build Workflow
- Secrets Gitleaks
secrets-gitleaks_skill
- Shell
214
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill rohunj/claude-build-workflow --skill secrets-gitleaks- SKILL.md16.2 KB
Overview
This skill provides a practical integration of Gitleaks for detecting and preventing hardcoded secrets in git repositories and codebases. It focuses on regex and entropy-based detection, plus workflows for pre-commit protection, CI/CD enforcement, baseline management, and historical remediation. The guidance targets DevSecOps teams seeking repeatable controls and audit-friendly reporting.
How this skill works
The skill uses Gitleaks to scan repositories, directories, staged changes, or entire git history with regex rules and Shannon entropy checks to identify API keys, tokens, passwords, and other credentials. It includes configuration templates, pre-commit hook scripts, CI/CD pipeline examples, baseline workflows to track new findings, and remediation guidance for secrets in history. Reports can be emitted as JSON or SARIF for automation and triage.
When to use it
- Perform initial security audits or compliance scans across a repository with full history
- Prevent accidental secret commits on developer workstations using pre-commit hooks
- Enforce secret scanning as a gate in CI/CD pipelines (pull requests, merges, releases)
- Create baselines to ignore historical findings and fail on newly introduced secrets
- Remediate exposed credentials found in git history and coordinate credential rotation
- Customize detection for proprietary secret formats and reduce false positives
Best practices
- Always use --redact for logs and reports and treat reports as sensitive data
- Create and protect a baseline file; fail CI only on new findings to avoid noise
- Add targeted allowlist rules for test fixtures, examples, and known false positives
- Rotate any exposed credentials immediately and document remediation steps
- Restrict report and baseline access to security and required stakeholders
- Use SARIF for native integration with security platforms and triage tools
Example use cases
- Run a one-time full-history audit and generate a JSON report for compliance review
- Install a pre-commit hook on developer machines to block committing secrets
- Integrate gitleaks action in GitHub Actions to fail PRs with new secret findings
- Maintain a baseline.json for legacy codebases and scan only for incremental leaks
- Add custom regex rules to detect organization-specific API keys and internal tokens
- Rewrite git history with git filter-repo or BFG after rotating leaked credentials
FAQ
Add allowlist rules for file paths, stopwords, or specific commits in .gitleaks.toml and test patterns locally before deploying.
What should I do if a secret is found in history?
Rotate the credential immediately, then remove the secret from history using git filter-repo or BFG and force-push, and require contributors to re-clone.