regenrek/security-leak-guardrails
skills/security-leak-guardrails/SKILL.md
Sets up secret-leak prevention guardrails with forbidden path checks, gitleaks config, CI secret scanning, and dependency updates. Use when hardening repos against credential leaks or when adding gitleaks, trufflehog, git hooks, or security checks.
$ install --global
skillsauthnpx skillsauth add regenrek/agent-skills security-leak-guardrailsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 5:48 AM144.4s6 files scanned
SKILL.md
- name:
- security-leak-guardrails
- description:
- Sets up secret-leak prevention guardrails with forbidden path checks, gitleaks config, CI secret scanning, and dependency updates. Use when hardening repos against credential leaks or when adding gitleaks, trufflehog, git hooks, or security checks.
Security Leak Guardrails
Reusable workflow for preventing secrets from entering git and for continuously scanning a repo for leaks.
Quick start
- Inventory existing security tooling (gitleaks/trufflehog, hooks, workflows, dependabot).
- Add forbidden-path checks and the hook script.
- Add gitleaks config and a local security check script.
- Add CI secret scanning and Dependabot.
- Update .gitignore and document the policy.
Workflow
Step 1: Inventory
- Check for existing .gitleaks.toml, .github/workflows/secret, dependabot.yml, and hook tooling.
- If the repo already uses hooks (husky/lefthook/pre-commit), integrate instead of replacing.
Step 2: Forbidden paths + hook
- Add .forbidden-paths.regex and keep it strict (no secrets in allowlists).
- Add scripts/hooks/block-forbidden-staged-files.mjs.
- If the repo is Node-based, add lefthook.yml and a prepare script to install hooks.
Step 3: Gitleaks
- Add .gitleaks.toml with path-based allowlists only for test fixtures.
Step 4: Local security check
- Add scripts/secleak-check.sh.
- If Node-based, add scripts in package.json: security:check and security:hooks.
Step 5: CI secret scanning
- Add a workflow that runs TruffleHog (diff and full history) and Gitleaks.
- Pin actions by SHA and use --only-verified for TruffleHog.
Step 6: Dependabot
- Add dependabot.yml for npm and GitHub Actions.
Step 7: .gitignore
- Add runtime dirs and credential patterns to avoid accidental commits.
Validation
- Run: node scripts/hooks/block-forbidden-staged-files.mjs
- Run: gitleaks git --no-banner --redact=100 --config .gitleaks.toml .
- Run: trivy fs --scanners secret,misconfig --exit-code 1 .
References
- Templates: reference.md
- Examples: examples.md
Related Skills
regenrek/electron-live-test
tools
VerifiedTrustedCommunity
Live-test any Electron desktop app with native-devtools-mcp, Chrome DevTools Protocol, screenshots, OCR, and accessibility tools. Use when the user asks for Electron UI verification, MCP-driven app control, renderer CDP interaction, native desktop automation, screenshots, or OCR-driven checks.
124SKILL.mdUpdated May 28, 2026
regenrek/search-context
testing
VerifiedTrustedCommunity
Find, clone, inspect, and summarize high-quality GitHub reference repositories for coding agents. Use when a user asks for GitHub reference projects, examples, prior art, inspiration, implementation patterns, or includes "$search-context" in a coding prompt.
124SKILL.mdUpdated May 17, 2026
regenrek/secleak-check
testing
VerifiedTrustedCommunity
Run or install repo security leak checks with BetterLeaks and Trivy. Use when asked to scan for leaked secrets, vulnerable dependencies, misconfigurations, add secret-leak guardrails, add BetterLeaks, add forbidden-path hooks, or run secleak-check before release.
114SKILL.mdUpdated May 17, 2026
regenrek/package-security-check
development
VerifiedTrustedCommunity
Run a reusable JavaScript supply-chain security baseline with pnpm-first hardening, release-age gating, lifecycle-script controls, exotic dependency checks, CI install checks, and optional incident IOC profiles.
114SKILL.mdUpdated May 13, 2026