一键导入
secret-detection
Detect secrets in code, git history, and running containers — pre-commit hooks, CI scanning, and incident response for exposed credentials.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Detect secrets in code, git history, and running containers — pre-commit hooks, CI scanning, and incident response for exposed credentials.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Production-grade GitHub Actions workflows — reusable workflows, OIDC cloud auth, caching, matrix builds, and environment protection rules. Use when the user creates, reviews, or debugs CI/CD pipelines in .github/workflows, or asks about GitHub Actions deployment, OIDC authentication, or workflow optimization.
Systematic diagnosis of Kubernetes pod failures — CrashLoopBackOff, OOMKilled, Pending, ImagePullBackOff, and service connectivity issues. Use when the user encounters pods not starting, container restart loops, scheduling failures, or service unreachability in a K8s cluster.
Implement distributed tracing with OpenTelemetry, Tempo/Jaeger — instrumentation, sampling, and trace-to-log correlation. Use when the user asks about distributed tracing, OpenTelemetry setup, span instrumentation, trace propagation, or connecting traces to logs and metrics.
Design reusable React components with compound patterns, controlled/uncontrolled hybrids, typed prop APIs, async state handling, and ARIA accessibility. Use when the user creates, refactors, or reviews React components, or mentions props, hooks, .tsx files, component APIs, or accessible UI patterns.
Apply STRIDE threat modeling to system designs, identify IDOR and authorization vulnerabilities, and build threat matrices for security reviews. Use when the user designs a new system, reviews an architecture, prepares for a security audit, or asks about common API vulnerabilities like IDOR or broken access control.
Secure CI/CD pipelines with keyless signing, OIDC federation, provenance attestations, policy enforcement, and hardened runners.
| name | secret-detection |
| type | skill |
| description | Detect secrets in code, git history, and running containers — pre-commit hooks, CI scanning, and incident response for exposed credentials. |
| related-rules | ["shift-left-policy.md","secret-hygiene.md (infrastructure)"] |
| allowed-tools | Read, Write, Edit, Bash |
Expertise: trufflehog, gitleaks, git-secrets, pre-commit hooks, CI scanning, secret rotation playbook.
When setting up secret scanning pre-commit or in CI, investigating a potential credential leak, or remediating secrets found in git history.
# Install pre-commit
pip install pre-commit
# .pre-commit-config.yaml
repos:
- repo: https://github.com/trufflesecurity/trufflehog
rev: v3.88.0
hooks:
- id: trufflehog
name: TruffleHog — secret scan
entry: trufflehog git file://. --since-commit HEAD --only-verified --fail
language: system
pass_filenames: false
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.0
hooks:
- id: gitleaks
name: Gitleaks — detect hardcoded secrets
# Install hooks for all team members (add to onboarding docs)
pre-commit install
pre-commit install --hook-type commit-msg
# Run against all files (one-time audit)
pre-commit run trufflehog --all-files
pre-commit run gitleaks --all-files
- name: Scan for secrets (trufflehog)
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: ${{ github.event.repository.default_branch }}
head: HEAD
extra_args: >
--only-verified
--fail
--format json
--json-output trufflehog-results.json
continue-on-error: false # hard fail
- name: Upload results
if: failure()
uses: actions/upload-artifact@v4
with:
name: secret-scan-results
path: trufflehog-results.json
secret-scan:
stage: validate
image: zricethezav/gitleaks:latest
script:
- gitleaks detect
--source .
--config .gitleaks.toml
--redact
--exit-code 1
--report-format json
--report-path gitleaks-report.json
artifacts:
when: on_failure
paths: [gitleaks-report.json]
# .gitleaks.toml
title = "MyProject Gitleaks Config"
[extend]
useDefault = true # use built-in rules + extend
# Custom rule: internal API keys
[[rules]]
id = "internal-api-key"
description = "Internal API Key"
regex = '''MYCOMPANY_API_KEY_[A-Za-z0-9]{32}'''
tags = ["key", "internal"]
# Allowlist: suppress known false positives
[allowlist]
description = "Global allowlist"
regexes = [
'''EXAMPLE_.*''', # example values in docs
'''test_.*_key''', # test fixtures
]
paths = [
'''.gitleaks.toml''', # this file itself
'''tests/fixtures/''', # test data
]
commits = [
"abc123def456" # specific commit with known false positive
]
# Scan all branches and full history
trufflehog git file://. \
--only-verified \
--format json | tee trufflehog-full-audit.json
# Gitleaks: scan full history
gitleaks detect \
--source . \
--log-opts "--all" \
--report-format json \
--report-path gitleaks-full-audit.json
# Summary: count findings by type
cat trufflehog-full-audit.json | jq 'group_by(.DetectorName) | map({type: .[0].DetectorName, count: length})'
# STOP: rotate the secret FIRST, before anything else
# Only after rotation (new secret is active and old one invalid):
# 1. Remove from git history using git-filter-repo (safer than filter-branch)
pip install git-filter-repo
git filter-repo \
--replace-text <(echo 'EXPOSED_SECRET==>REMOVED') \
--force
# 2. Force push (coordinate with team — everyone must re-clone)
git push --force --all
git push --force --tags
# 3. Notify all contributors to re-clone (old clones have the secret in history)
# 4. Check if GitHub/GitLab cached the secret (check forks, PRs, CI logs)
# GitHub: check cached pipelines in CI for the old secret
# GitLab: check CI job logs, pipeline artifacts
# 5. Audit: who may have cloned or cached the repo during exposure window
# Check VCS audit logs for clone events
# 6. File security incident report
# Inline suppression (trufflehog)
SOME_VAR="obviously-not-a-secret" # trufflehog:ignore
# Inline suppression (gitleaks)
SOME_VAR="test-value" # gitleaks:allow
# .gitleaksignore file (commit-hash based)
# Get commit hash of false positive commit:
git log --oneline | grep "Add example config"
# Add to .gitleaksignore:
echo "abc123def456:path/to/file.yaml" >> .gitleaksignore