スキル secrets-gitleaks 監査履歴
📦

監査履歴

secrets-gitleaks - 6 監査

監査バージョン 6

最新 中リスク

Jun 28, 2026, 06:25 AM

Static analysis reported many high-risk patterns, but review found they are mostly defensive Gitleaks rules, CI templates, and remediation examples rather than malicious code. No prompt injection or data exfiltration intent was found. Publication is acceptable with a warning because the CI examples execute external commands, read scan reports, upload artifacts, and include some fail-open examples.

12
スキャンされたファイル
3,311
解析された行数
9
検出結果
codex
監査者
中リスクの問題 (2)
assets/github-action.yml:55-61assets/github-action.yml:97-100assets/gitlab-ci.yml:153-179assets/gitlab-ci.yml:187-189
Executable CI Templates Process Repository Contents
Verdict: TRUE_POSITIVE for external command and filesystem access, but legitimate for a Gitleaks skill. The GitHub and GitLab templates run Gitleaks in CI, read generated reports, and upload artifacts. This can expose sensitive findings if artifact access is too broad. Confidence: 0.82. Confidence reasoning: the commands and file reads are explicit, but their purpose is defensive scanning rather than covert exfiltration.
assets/github-action.yml:55-61assets/github-action.yml:75-81assets/github-action.yml:167-173assets/gitlab-ci.yml:38-42assets/gitlab-ci.yml:46-50assets/gitlab-ci.yml:130-134
Fail-Open Secret Scanning Examples
Verdict: TRUE_POSITIVE as a workflow risk. Several examples suppress scanner exit codes with exit-code zero or shell true. Some sections add later checks, but users who copy only the command may create secret gates that pass after findings. Confidence: 0.76. Confidence reasoning: the fail-open commands are visible, while final impact depends on how users copy and deploy the templates.
低リスクの問題 (3)
SKILL.md:156-160assets/config-custom.toml:57-65references/detection_rules.md:198-236
Credential Pattern Findings Are Documentation Examples
Verdict: FALSE_POSITIVE for embedded secret theft. The API key, private key, token, and password strings are detection rules or placeholder patterns. They describe what Gitleaks should find and do not contain real credentials. Confidence: 0.91. Confidence reasoning: the surrounding headings and fields identify these as rule definitions and examples, not operational secrets.
SKILL.md:19-21assets/precommit-config.yaml:6-10assets/github-action.yml:112assets/gitlab-ci.yml:218-222
Hardcoded URL Findings Are Expected References
Verdict: FALSE_POSITIVE for malicious network behavior. The URLs point to official Gitleaks, OWASP, CWE, pre-commit, GitHub, or CI API resources used by documentation and templates. Confidence: 0.88. Confidence reasoning: the URLs are visible references or platform endpoints, with no hidden outbound data channel found.
references/compliance_mapping.md:71-83references/remediation_guide.md:506-526SKILL.md:1-8
Malware Keyword Findings Are Contextual False Positives
Verdict: FALSE_POSITIVE. Static malware and C2 keyword hits appear in compliance and remediation reference material about security controls, not in instructions to deploy malware. No prompt injection language was found. Confidence: 0.84. Confidence reasoning: the reviewed files consistently discuss defensive secret detection and incident response, though broad markdown keyword matches require human context.

リスク要因

🔑 環境変数 (4)
assets/github-action.yml:44-48 assets/github-action.yml:142-144 assets/gitlab-ci.yml:207-222 SKILL.md:109-111
🌐 ネットワークアクセス (4)
SKILL.md:19-21 assets/precommit-config.yaml:6-10 assets/github-action.yml:112 assets/gitlab-ci.yml:218-222
⚙️ 外部コマンド (4)
SKILL.md:35-57 assets/github-action.yml:55-61 assets/github-action.yml:75-81 assets/gitlab-ci.yml:37-56
📁 ファイルシステムへのアクセス (4)
assets/github-action.yml:97-100 assets/github-action.yml:167-173 assets/gitlab-ci.yml:161-179 assets/gitlab-ci.yml:187-189

検出されたパターン

CI Uses External Scanner CommandsCI Reads and Publishes Secret Scan Reports

監査バージョン 5

低リスク

Jan 16, 2026, 04:18 PM

This is a legitimate defensive security tool for detecting hardcoded secrets. All 572 static findings are FALSE POSITIVES triggered by documentation examples, configuration placeholders, and CI/CD templates. No malicious patterns exist. The skill provides guidance for integrating Gitleaks, an established open-source secret scanning tool.

13
スキャンされたファイル
3,610
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (1)
SKILL.md:36-48
🌐 ネットワークアクセス (1)
assets/github-action.yml:56-61
📁 ファイルシステムへのアクセス (1)
assets/github-action.yml:97-99
🔑 環境変数 (1)
assets/github-action.yml:47-48

監査バージョン 4

低リスク

Jan 16, 2026, 04:18 PM

This is a legitimate defensive security tool for detecting hardcoded secrets. All 572 static findings are FALSE POSITIVES triggered by documentation examples, configuration placeholders, and CI/CD templates. No malicious patterns exist. The skill provides guidance for integrating Gitleaks, an established open-source secret scanning tool.

13
スキャンされたファイル
3,610
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (1)
SKILL.md:36-48
🌐 ネットワークアクセス (1)
assets/github-action.yml:56-61
📁 ファイルシステムへのアクセス (1)
assets/github-action.yml:97-99
🔑 環境変数 (1)
assets/github-action.yml:47-48

監査バージョン 3

低リスク

Jan 10, 2026, 11:03 AM

This is a defensive security tool that detects hardcoded secrets. Documentation-only skill with configuration templates and CI/CD workflows. No executable scripts included in the bundle. Legitimate security scanning functionality with no malicious patterns.

12
スキャンされたファイル
3,311
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚡ スクリプトを含む (1)
SKILL.md:213-219
⚙️ 外部コマンド (1)
SKILL.md:36-48
🌐 ネットワークアクセス (1)
assets/github-action.yml:127-143
📁 ファイルシステムへのアクセス (1)
SKILL.md:58-69

監査バージョン 2

低リスク

Jan 10, 2026, 11:03 AM

This is a defensive security tool that detects hardcoded secrets. Documentation-only skill with configuration templates and CI/CD workflows. No executable scripts included in the bundle. Legitimate security scanning functionality with no malicious patterns.

12
スキャンされたファイル
3,311
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚡ スクリプトを含む (1)
SKILL.md:213-219
⚙️ 外部コマンド (1)
SKILL.md:36-48
🌐 ネットワークアクセス (1)
assets/github-action.yml:127-143
📁 ファイルシステムへのアクセス (1)
SKILL.md:58-69

監査バージョン 1

低リスク

Jan 10, 2026, 11:03 AM

This is a defensive security tool that detects hardcoded secrets. Documentation-only skill with configuration templates and CI/CD workflows. No executable scripts included in the bundle. Legitimate security scanning functionality with no malicious patterns.

12
スキャンされたファイル
3,311
解析された行数
4
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚡ スクリプトを含む (1)
SKILL.md:213-219
⚙️ 外部コマンド (1)
SKILL.md:36-48
🌐 ネットワークアクセス (1)
assets/github-action.yml:127-143
📁 ファイルシステムへのアクセス (1)
SKILL.md:58-69
← スキルに戻る