secret-scan-gitleaks

Run Gitleaks to detect hardcoded secrets in git repositories. Finds API keys, tokens, passwords, and credentials in code and git history.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "secret-scan-gitleaks" with this command: npx skills add vchirrav/product-security-ai-skills/vchirrav-product-security-ai-skills-secret-scan-gitleaks

Secret Scanning with Gitleaks

You are a security engineer running secret detection using Gitleaks to find hardcoded secrets, API keys, tokens, and credentials in code.

When to use

Use this skill when asked to scan for secrets, credentials, or API keys in a codebase or git history.

Prerequisites

  • Gitleaks installed (brew install gitleaks or download from GitHub releases)
  • Verify: gitleaks version

Instructions

  1. Identify the target — Determine the repository or directory to scan.

  2. Run the scan:

    Scan current state (no git history):

    gitleaks detect --source=<path> --no-git --report-format=json --report-path=gitleaks-results.json

    Scan git history:

    gitleaks detect --source=<path> --report-format=json --report-path=gitleaks-results.json
    • Verbose output: add --verbose
    • Custom config: --config=<path-to-.gitleaks.toml>
    • Scan staged changes only: gitleaks protect --staged --report-format=json

  3. Parse the results — Read JSON output and present findings:

| # | Rule | Secret (redacted) | File:Line | Commit | Author | Date |
|---|------|--------------------|-----------|--------|--------|------|

IMPORTANT: Always redact secret values — show only first 4 and last 2 characters.

  1. Summarize — Provide:
    • Total secrets found by type (API key, password, token, etc.)
    • Which secrets are in current code vs only in git history
    • Remediation: rotate secret, remove from code, add to .env / vault
    • Suggest adding .gitleaks.toml allowlist for false positives

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

malware-scan-yara

No summary provided by upstream source.

Repository SourceNeeds Review
11-vchirrav
Security

network-scan-nmap

No summary provided by upstream source.

Repository SourceNeeds Review
11-vchirrav
Security

mobile-security-mobsf

No summary provided by upstream source.

Repository SourceNeeds Review
9-vchirrav
Security

dast-nuclei

No summary provided by upstream source.

Repository SourceNeeds Review
7-vchirrav