n4m3z/SecretScan
skills/SecretScan/SKILL.md
Commit-time secret scanning with gitleaks — prevent credentials from entering git history. USE WHEN scanning for leaked secrets, setting up pre-commit hooks, or auditing repositories for credentials.
$ install --global
skillsauthnpx skillsauth add n4m3z/forge-core SecretScanInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 6:12 AM243.0s2 files scanned
SKILL.md
- name:
- SecretScan
- description:
- Commit-time secret scanning with gitleaks — prevent credentials from entering git history. USE WHEN scanning for leaked secrets, setting up pre-commit hooks, or auditing repositories for credentials.
- version:
- 0.1.0
SecretScan
Prevent secrets from entering git history using gitleaks.
Setup
Install
brew install gitleaks
Scan the working tree
gitleaks detect --source . --no-git
Scan git history
gitleaks detect --source .
Scan staged files only
For pre-commit checks where only staged content matters:
gitleaks protect --source . --staged --no-banner
gitleaks protect (vs detect) operates on the working-tree diff and is faster than a full scan when integrated into a pre-commit flow.
Baseline known findings
If the repo has historical secrets that have been rotated, create a baseline so future scans only flag new leaks:
gitleaks detect --source . --report-path .gitleaks-baseline.json
gitleaks detect --source . --baseline-path .gitleaks-baseline.json
Pre-commit hook
Add to .pre-commit-config.yaml:
- id: gitleaks
name: gitleaks
entry: gitleaks detect --no-banner --no-git -s .
language: system
pass_filenames: false
.gitleaks.toml
Config file at the project root for allowlists. Use path exclusions, not fingerprints — fingerprints break when line numbers shift:
[allowlist]
paths = [
"evals/baselines/.*",
"tests/fixtures/.*",
]
Output format
Present findings grouped by severity, never echoing the secret value:
## Secret Scan: <repo>
**Mode**: working tree | staged | history
**Findings**: <count>
### Critical (must fix before merge)
- <file>:<line> <rule-id> — short description
### Allowlisted (known safe)
- <file>:<line> <rule-id> — reason
### Recommendation
<fix | baseline | allowlist guidance>
Constraints
- Never display the actual secret value in scan output — show only rule ID, file, and line
- Never commit
.env, credentials, or API keys — even to private repos - If gitleaks is not installed, print the install command (
brew install gitleaks) and stop — do not partially scan - If gitleaks blocks a commit, fix the leak; do not bypass with
--no-verify - Recommend baselining over
--no-verifyfor historical secrets that have already been rotated - Flag any
.envfile that is not in.gitignoreas a configuration issue - Different gitleaks versions detect different patterns; if local passes but CI fails, check version mismatch
Related Skills
n4m3z/Wtf
development
VerifiedTrustedCommunity
Reactive correction and root-cause fix. USE WHEN something went wrong, user is frustrated, demands a correction, says wtf, what the hell, why did you, that's wrong, this is broken, no not that, stop. Executes the immediate fix, then hunts the upstream artifact that caused it and creates a corrective change.
4SKILL.mdUpdated May 28, 2026
n4m3z/ResearchTopic
development
VerifiedTrustedCommunity
Decompose a research question into sub-queries, spawn parallel WebResearcher agents per angle, synthesize findings with citations and explicit confidence. USE WHEN the user asks to research, investigate, look online, look up, dig into, find sources, gather evidence, or survey what's known about a topic. Single-pass; for multi-round adversarial research use ResearchCouncil in forge-council.
4SKILL.mdUpdated May 27, 2026
n4m3z/WriteDocs
tools
VerifiedTrustedCommunity
Author project documentation that future humans (and AI sessions) actually read. Covers TLDRs for tools, READMEs, runbooks, journals. USE WHEN write documentation, create tldr, tool one-pager, document a cli, write readme, runbook, journal entry, capture knowledge about a tool, distill a session into reusable notes.
4SKILL.mdUpdated May 25, 2026
n4m3z/StagedReview
development
VerifiedTrustedCommunity
Review your own staged changes via a code-review TUI before triggering a commit. USE WHEN about to commit, walking through your own staged diff, self-reviewing before approval, tuicr, revdiff, git diff cached.
4SKILL.mdUpdated May 25, 2026