Skill

SecretScan

Commit-time secret scanning with gitleaks — prevent credentials from entering git history. USE WHEN scanning for leaked secrets, setting up pre-commit hooks, or auditing repositories for credentials.

npx claudepluginhub n4m3z/forge-core

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Prevent secrets from entering git history using [gitleaks][GITLEAKS].

Supporting Assets

SKILL.yaml

SKILL.md

Similar Skills

cache-components

139.4k

Guides Next.js Cache Components and Partial Prerendering (PPR): 'use cache' directives, cacheLife(), cacheTag(), revalidateTag() for caching, invalidation, static/dynamic optimization. Auto-activates on cacheComponents: true.

cache-components

pdf

131.6k

Processes PDFs: extracts text/tables/images, merges/splits/rotates pages, adds watermarks, creates/fills forms, encrypts/decrypts, OCRs scans. Activates on PDF mentions or output requests.

11 files

document-skills

Stats

Stars4

Forks2

Last CommitMay 9, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

SecretScan

Prevent secrets from entering git history using gitleaks.

Setup

Install

brew install gitleaks

Scan the working tree

gitleaks detect --source . --no-git

Scan git history

gitleaks detect --source .

Scan staged files only

For pre-commit checks where only staged content matters:

gitleaks protect --source . --staged --no-banner

gitleaks protect (vs detect) operates on the working-tree diff and is faster than a full scan when integrated into a pre-commit flow.

Baseline known findings

If the repo has historical secrets that have been rotated, create a baseline so future scans only flag new leaks:

gitleaks detect --source . --report-path .gitleaks-baseline.json
gitleaks detect --source . --baseline-path .gitleaks-baseline.json

Pre-commit hook

Add to .pre-commit-config.yaml:

- id: gitleaks
  name: gitleaks
  entry: gitleaks detect --no-banner --no-git -s .
  language: system
  pass_filenames: false

.gitleaks.toml

Config file at the project root for allowlists. Use path exclusions, not fingerprints — fingerprints break when line numbers shift:

[allowlist]
paths = [
    "evals/baselines/.*",
    "tests/fixtures/.*",
]

Output format

Present findings grouped by severity, never echoing the secret value:

## Secret Scan: <repo>

**Mode**: working tree | staged | history
**Findings**: <count>

### Critical (must fix before merge)
- <file>:<line> <rule-id> — short description

### Allowlisted (known safe)
- <file>:<line> <rule-id> — reason

### Recommendation
<fix | baseline | allowlist guidance>

Constraints

Never display the actual secret value in scan output — show only rule ID, file, and line
Never commit .env, credentials, or API keys — even to private repos
If gitleaks is not installed, print the install command (brew install gitleaks) and stop — do not partially scan
If gitleaks blocks a commit, fix the leak; do not bypass with --no-verify
Recommend baselining over --no-verify for historical secrets that have already been rotated
Flag any .env file that is not in .gitignore as a configuration issue
Different gitleaks versions detect different patterns; if local passes but CI fails, check version mismatch