Secret detection and credential scanning using gitleaks. Use when scanning repositories for leaked secrets, API keys, passwords, tokens, or implementing pre-commit security checks.
Scans repositories for leaked secrets and blocks commits containing sensitive data.
npx claudepluginhub vinnie357/claude-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
hooks/check-secrets-before-commit.shscripts/gitleaks.nuscripts/gitleaks.shtemplates/mise.tomlThis skill activates when performing secret detection, credential scanning, or implementing security checks for leaked sensitive data in code repositories.
Activate when:
When this skill is loaded, a pre-commit hook automatically scans staged files for secrets before every git commit command. This provides defense-in-depth by catching secrets before they enter git history.
git commit -m "message"
↓
PreToolUse hook fires
↓
Extract staged files
↓
Run gitleaks --no-git
↓
┌─ Clean ─┴─ Secrets ─┐
↓ ↓
Allow Block commit
commit (exit code 2)
.gitleaks-baseline.json if present to ignore known false positives.gitleaks.toml if present for custom detection rulesIf the hook detects secrets, the commit is blocked with guidance:
[gitleaks] SECRETS DETECTED in staged files!
[gitleaks] Commit blocked. Remove secrets before committing.
[gitleaks]
[gitleaks] Options:
[gitleaks] 1. Remove the secret from the file
[gitleaks] 2. Use environment variables instead
[gitleaks] 3. Add to .gitleaks-baseline.json if false positive
The hook requires a container runtime to run gitleaks. It auto-detects:
If no runtime is available, the hook logs a warning and allows the commit.
Use the security-review skill for:
| Task | Use security | Use security-review |
|---|---|---|
| Scan for secrets in code | ✓ | |
| Detect leaked API keys | ✓ | |
| Pre-commit secret scanning | ✓ | |
| STRIDE threat modeling | ✓ | |
| Security architecture review | ✓ | |
| Vulnerability assessment | ✓ | |
| Security report documentation | ✓ | |
| Risk prioritization | ✓ |
Gitleaks is an open-source tool for detecting secrets and sensitive information in git repositories. It scans commit history and file contents for patterns matching known secret formats.
# Scan current directory
gitleaks detect --source="." -v
# Scan with JSON report
gitleaks detect --source="." -v --report-path=report.json --report-format=json
# Scan only staged changes (pre-commit)
gitleaks protect --staged
# Scan git history
gitleaks detect --source="." --log-opts="--all"
Create a .gitleaks.toml file to customize detection:
[extend]
# Extend default rules
useDefault = true
[[rules]]
id = "custom-api-key"
description = "Custom API Key Pattern"
regex = '''(?i)custom[_-]?api[_-]?key['\"]?\s*[=:]\s*['\"]([a-zA-Z0-9]{32,})'''
keywords = ["custom_api_key", "custom-api-key"]
[allowlist]
paths = [
'''\.gitleaks\.toml$''',
'''(.*)?test(.*)''',
'''\.git'''
]
regexes = [
'''EXAMPLE_.*''',
'''REDACTED'''
]
0: No leaks found1: Leaks detectedThis skill includes scripts for running gitleaks with automatic container runtime detection.
Cross-platform Nushell script with automatic runtime detection:
# Run with auto-detected runtime
nu scripts/gitleaks.nu
# Specify runtime
nu scripts/gitleaks.nu --runtime docker
nu scripts/gitleaks.nu --runtime container # Apple Container (macOS 26+)
nu scripts/gitleaks.nu --runtime colima
# Generate report
nu scripts/gitleaks.nu --report ./report.json
# Use custom config
nu scripts/gitleaks.nu --config ./.gitleaks.toml
# Scan specific path
nu scripts/gitleaks.nu --path ./src
Bash script with the same capabilities:
# Run with auto-detected runtime
./scripts/gitleaks.sh
# Specify runtime
./scripts/gitleaks.sh --runtime docker
./scripts/gitleaks.sh -R container
# Generate report
./scripts/gitleaks.sh --report ./report.json
# Use custom config
./scripts/gitleaks.sh --config ./.gitleaks.toml
The scripts support three container runtimes with automatic detection:
Native container support in macOS 26 and later:
# Check status
container system status
# Start runtime
container system start
# Run gitleaks
container run -v $(pwd):/code zricethezav/gitleaks detect --source="/code" -v
Docker Desktop or Docker Engine:
# Check status
docker info >/dev/null 2>&1
# Start (macOS)
open -a Docker
# Run gitleaks
docker run -v $(pwd):/code zricethezav/gitleaks detect --source="/code" -v
Lightweight runtime managed through mise:
# Check status
mise exec colima@latest -- colima status
# Start runtime
mise exec colima@latest -- colima start
# Run gitleaks
mise exec colima@latest -- docker run -v $(pwd):/code zricethezav/gitleaks detect --source="/code" -v
Using mise exec provides automatic installation and version management without requiring global installation.
Add gitleaks to pre-commit hooks:
# .pre-commit-config.yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
Install and run:
pre-commit install
pre-commit run gitleaks --all-files
name: Gitleaks
on: [push, pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
gitleaks:
stage: security
image: zricethezav/gitleaks:latest
script:
- gitleaks detect --source="." -v
allow_failure: false
Create a baseline to ignore known false positives:
# Generate baseline
gitleaks detect --source="." -v --baseline-path=.gitleaks-baseline.json
# Scan using baseline
gitleaks detect --source="." -v --baseline-path=.gitleaks-baseline.json
Add .gitleaks-baseline.json to version control to track acknowledged findings.
git filter-branch or BFG Repo Cleaner.gitignore.env.example files without real valuesCopy the mise tasks from templates/mise.toml to add gitleaks scanning to any project:
# Available tasks after copying template
mise gitleaks # Scan with Apple Container (default)
mise gitleaks:docker # Scan with Docker
mise gitleaks:colima # Scan with Colima
mise gitleaks:stop # Stop all runtimes
mise gitleaks:stop:container
mise gitleaks:stop:docker
mise gitleaks:stop:colima
The tasks automatically:
.gitleaks-baseline.json if presentActivates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
This skill should be used when the user wants to "create a skill", "add a skill to plugin", "write a new skill", "improve skill description", "organize skill content", or needs guidance on skill structure, progressive disclosure, or skill development best practices for Claude Code plugins.