regenrek/secleak-check
skills/secleak-check/SKILL.md
Run or install repo security leak checks with BetterLeaks and Trivy. Use when asked to scan for leaked secrets, vulnerable dependencies, misconfigurations, add secret-leak guardrails, add BetterLeaks, add forbidden-path hooks, or run secleak-check before release.
$ install --global
skillsauthnpx skillsauth add regenrek/agent-skills secleak-checkInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 17, 2026, 5:22 AM117.5s5 files scanned
SKILL.md
- name:
- secleak-check
- description:
- Run or install repo security leak checks with BetterLeaks and Trivy. Use when asked to scan for leaked secrets, vulnerable dependencies, misconfigurations, add secret-leak guardrails, add BetterLeaks, add forbidden-path hooks, or run secleak-check before release.
Secleak Check
Workflow
- Confirm cwd and repo root.
- For a scan request, run the bundled script from this skill, not a target-repo script.
- For a setup request, add repo-local guardrails from
references/guardrails.md. - Quote exact failing tool output, but never print raw secret values.
- If the bundled script is unavailable, use the manual fallback commands below.
Bundled command
Resolve scripts/secleak-check.sh relative to this SKILL.md.
Common installed path:
/Users/kregenrek/.agents/skills/secleak-check/scripts/secleak-check.sh
Manual fallback
betterleaks git --no-banner --redact=100 .
trivy fs --scanners vuln,secret,misconfig --exit-code 1 .
Prefer .betterleaks.toml when present. If only .gitleaks.toml exists, pass --config .gitleaks.toml; BetterLeaks supports it for compatibility.
Reporting
betterleaksfindings are blockers until verified false-positive or remediated.- For historical leaks, report file, line, commit, rule, and fingerprint only.
trivydependency vulnerabilities should be summarized by severity and top fixed versions.- Misconfig findings inside
node_modulesare dependency artifact noise unless that file is built or shipped by the repo.
Guardrail setup
When asked to harden a repo against secret leaks:
- Inventory existing
.betterleaks.toml,.gitleaks.toml, secret-scan workflows, Dependabot, and hook tooling. - Add
.forbidden-paths.regexand a staged-file hook. - Add
.betterleaks.tomlwith path-based filters only for fixtures. - Add repo-local
scripts/secleak-check.shonly when the repo wants a first-class local script. - Add CI secret scanning and Dependabot when GitHub Actions are in scope.
- Update
.gitignorefor runtime dirs, env files, credentials, keys, and infra state.
Templates live in references/guardrails.md; small examples live in references/examples.md.
Related Skills
regenrek/electron-live-test
tools
VerifiedTrustedCommunity
Live-test any Electron desktop app with native-devtools-mcp, Chrome DevTools Protocol, screenshots, OCR, and accessibility tools. Use when the user asks for Electron UI verification, MCP-driven app control, renderer CDP interaction, native desktop automation, screenshots, or OCR-driven checks.
124SKILL.mdUpdated May 28, 2026
regenrek/search-context
testing
VerifiedTrustedCommunity
Find, clone, inspect, and summarize high-quality GitHub reference repositories for coding agents. Use when a user asks for GitHub reference projects, examples, prior art, inspiration, implementation patterns, or includes "$search-context" in a coding prompt.
124SKILL.mdUpdated May 17, 2026
regenrek/package-security-check
development
VerifiedTrustedCommunity
Run a reusable JavaScript supply-chain security baseline with pnpm-first hardening, release-age gating, lifecycle-script controls, exotic dependency checks, CI install checks, and optional incident IOC profiles.
114SKILL.mdUpdated May 13, 2026
regenrek/stage-review
development
VerifiedTrustedCommunity
Stage a finished local feature, run local verification, create a Conventional Commit, then send it through the no-mistakes gated review/fix loop before real upstream push/PR. Use when the user says a feature is done, asks for a professional stage-review flow, wants Codex to git add and commit safely, or wants no-mistakes review/verify/fix before pushing to origin.
114SKILL.mdUpdated May 12, 2026