| name | secret-detection |
| type | skill |
| description | Detect secrets in code, git history, and running containers — pre-commit hooks, CI scanning, and incident response for exposed credentials. |
| related-rules | ["shift-left-policy.md","secret-hygiene.md (infrastructure)"] |
| allowed-tools | Read, Write, Edit, Bash |
Skill: Secret Detection
Expertise: trufflehog, gitleaks, git-secrets, pre-commit hooks, CI scanning, secret rotation playbook.
When to load
When setting up secret scanning pre-commit or in CI, investigating a potential credential leak, or remediating secrets found in git history.
Pre-Commit Hook Setup
pip install pre-commit
repos:
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.88.0
hooks:
- id: trufflehog
name: TruffleHog — secret scan
entry: trufflehog git file://. --since-commit HEAD --only-verified --fail
language: system
pass_filenames: false
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.0
hooks:
- id: gitleaks
name: Gitleaks — detect hardcoded secrets
pre-commit install
pre-commit install --hook-type commit-msg
pre-commit run trufflehog --all-files
pre-commit run gitleaks --all-files
CI: trufflehog (GitHub Actions)
- name: Scan for secrets (trufflehog)
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: >
--only-verified
--fail
--format json
--json-output trufflehog-results.json
continue-on-error: false
- name: Upload results
if: failure()
uses: actions/upload-artifact@v4
with:
name: secret-scan-results
path: trufflehog-results.json
CI: gitleaks (GitLab CI)
secret-scan:
stage: validate
image: zricethezav/gitleaks:latest
script:
- gitleaks detect
--source .
--config .gitleaks.toml
--redact
--exit-code 1
--report-format json
--report-path gitleaks-report.json
artifacts:
when: on_failure
paths: [gitleaks-report.json]
gitleaks Configuration (.gitleaks.toml)
title = "MyProject Gitleaks Config"
[extend]
useDefault = true
[[rules]]
id = "internal-api-key"
description = "Internal API Key"
regex = '''MYCOMPANY_API_KEY_[A-Za-z0-9]{32}'''
tags = ["key", "internal"]
[allowlist]
description = "Global allowlist"
regexes = [
'''EXAMPLE_.*''',
'''test_.*_key''',
]
paths = [
'''.gitleaks.toml''',
'''tests/fixtures/''',
]
commits = [
"abc123def456"
]
Full Repo Audit (historical scan)
trufflehog git file://. \
--only-verified \
--format json | tee trufflehog-full-audit.json
gitleaks detect \
--source . \
--log-opts "--all" \
--report-format json \
--report-path gitleaks-full-audit.json
cat trufflehog-full-audit.json | jq 'group_by(.DetectorName) | map({type: .[0].DetectorName, count: length})'
Incident Response: Secret Exposed in Git
pip install git-filter-repo
git filter-repo \
--replace-text <(echo 'EXPOSED_SECRET==>REMOVED') \
--force
git push --force --all
git push --force --tags
False Positive Management
SOME_VAR="obviously-not-a-secret"
SOME_VAR="test-value"
git log --oneline | grep "Add example config"
echo "abc123def456:path/to/file.yaml" >> .gitleaksignore