aeondave/gitleaks
offensive-tools/cloud/gitleaks/SKILL.md
Detect hardcoded secrets (API keys, tokens, credentials) in git repos and files. Use when auditing source code, CI pipelines, or commit history for leaked secrets in red-team or pre-engagement recon.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill gitleaksInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 31, 2026, 9:03 PM58.0s1 file scanned
SKILL.md
- name:
- gitleaks
- description:
- Detect hardcoded secrets (API keys, tokens, credentials) in git repos and files. Use when auditing source code, CI pipelines, or commit history for leaked secrets in red-team or pre-engagement recon.
- license:
- MIT
- compatibility:
- Go binary; Linux/macOS/Windows; github.com/gitleaks/gitleaks
- author:
- AeonDave
- version:
- 1.0
Gitleaks
Detect hardcoded secrets in git repos, files, and CI pipelines.
Quick Start
# Scan current git repo
gitleaks detect --source . -v
# Scan a remote repo
gitleaks detect --source https://github.com/org/repo
# Scan specific path (non-git)
gitleaks detect --source /path/to/dir --no-git
# Generate report
gitleaks detect --source . -r report.json -f json
Core Flags
| Flag | Purpose |
|------|---------|
| detect | Scan for secrets |
| protect | Pre-commit hook mode |
| --source PATH | Target path or URL |
| --no-git | Scan filesystem (not git history) |
| -r FILE | Report output file |
| -f FORMAT | Output format (json/csv/sarif) |
| -v | Verbose |
| --config FILE | Custom rules config |
| --branch NAME | Scan specific branch |
| --log-opts | Git log options (e.g. --all) |
Common Workflows
Full history scan:
gitleaks detect --source . --log-opts="--all" -r leaks.json -f json
CI pipeline integration (fail on leak):
gitleaks detect --source . --exit-code 1
Custom rule for internal tokens:
# .gitleaks.toml
[[rules]]
id = "internal-api-key"
regex = '''MYAPP_[A-Z0-9]{32}'''
Resources
| File | When to load |
|------|--------------|
| references/ | Custom rule examples and CI config |
Related Skills
aeondave/vibe-audit-technique
development
VerifiedTrustedCommunity
White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).
4SKILL.mdUpdated Jun 12, 2026
aeondave/source-review-technique
development
VerifiedTrustedCommunity
Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.
4SKILL.mdUpdated Jun 12, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 12, 2026
aeondave/container-technique
devops
VerifiedTrustedCommunity
Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.
4SKILL.mdUpdated Jun 12, 2026