# Scan Repositories for Secrets with Gitleaks Hardcoded credentials can enter repositories through commits, examples, and configuration files. This skill helps teams add Gitleaks scanning, CI gates, baselines, and remediation workflows. ## Install ```bash npx skillstore add agentsecops/secrets-gitleaks ``` ## Metadata - - Slug: agentsecops-secrets-gitleaks - - Version: 0.1.0 - - Author: AgentSecOps - - GitHub username: AgentSecOps - - License: MIT - - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/devsecops/secrets-gitleaks - - Ref: main - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: network, filesystem, env\_access, external\_commands - - Quality score: 50 - - Quality tier: warning - - Public page: https://skillstore.pages.dev/skills/agentsecops-secrets-gitleaks - - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-secrets-gitleaks/manifest ## Capabilities - Explains repository, directory, staged-change, baseline, and SARIF Gitleaks scan workflows. - Provides GitHub Actions, GitLab CI, and pre-commit configuration templates. - Includes strict, balanced, and custom Gitleaks TOML configuration examples. - Maps common secret findings to CWE, OWASP, PCI-DSS, SOC2, and GDPR concerns. - Guides false positive triage, allowlist design, credential rotation, and git history cleanup. ## Use Cases - Audit an Existing Repository: Run a full-history Gitleaks scan, review findings, classify false positives, and create a baseline for future checks. - Block Secrets Before Commit: Install pre-commit scanning so developers catch keys, tokens, and private keys before they reach shared branches. - Add CI Secret Detection: Adapt GitHub Actions or GitLab CI templates to publish reports and fail builds when new secrets are detected. ## Prompt Templates ### Run My First Secret Scan ``` Help me run a Gitleaks scan on this repository and explain the safest report options for a first audit. ``` ### Set Up Pre-Commit Protection ``` Create a pre-commit setup plan for Gitleaks that blocks staged secrets and keeps findings redacted. ``` ### Tune False Positives ``` Review these Gitleaks findings and propose allowlist rules that avoid hiding real credentials. ``` ### Design a CI Baseline Workflow ``` Design a GitHub Actions or GitLab CI workflow that uses a baseline, fails only on new secrets, and protects reports. ``` ## Limitations - Requires Gitleaks and related CI or pre-commit tools to be installed by the user. - Does not rotate credentials or validate whether a detected secret is still active. - Scan reports may contain sensitive findings and need separate access controls. - The file tree does not include the helper scripts described in SKILL.md. ## Best Practices - Always use redacted output for logs, pull request comments, and shared reports. - Rotate exposed credentials before rewriting history or closing the finding. - Keep allowlists narrow, documented, and reviewed by a security owner. ## Anti Patterns - Do not upload unredacted Gitleaks reports to broadly visible artifacts. - Do not use broad allowlists that exclude all documentation, tests, or configuration files without review. - Do not rely on secret removal alone when a credential may already be compromised. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T06:25:19.608\+00:00 - - Summary: Static analysis reported many high-risk patterns, but review found they are mostly defensive Gitleaks rules, CI templates, and remediation examples rather than malicious code. No prompt injection or data exfiltration intent was found. Publication is acceptable with a warning because the CI examples execute external commands, read scan reports, upload artifacts, and include some fail-open examples. ## Stats - - Views: 225 - - Downloads: 4 - - Favorites: 0 - - Popularity score: 0