Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

sawrus/secret-detection

Name: secret-detection
Author: sawrus

areas/devops/devsecops/skills/secret-detection/SKILL.md

npx skillsauth add sawrus/agent-guides secret-detection

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Skill: Secret Detection

Expertise: trufflehog, gitleaks, git-secrets, pre-commit hooks, CI scanning, secret rotation playbook.

When to load

When setting up secret scanning pre-commit or in CI, investigating a potential credential leak, or remediating secrets found in git history.

Pre-Commit Hook Setup

# Install pre-commit
pip install pre-commit

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.88.0
    hooks:
      - id: trufflehog
        name: TruffleHog — secret scan
        entry: trufflehog git file://. --since-commit HEAD --only-verified --fail
        language: system
        pass_filenames: false

  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks:
      - id: gitleaks
        name: Gitleaks — detect hardcoded secrets

# Install hooks for all team members (add to onboarding docs)
pre-commit install
pre-commit install --hook-type commit-msg

# Run against all files (one-time audit)
pre-commit run trufflehog --all-files
pre-commit run gitleaks --all-files

CI: trufflehog (GitHub Actions)

- name: Scan for secrets (trufflehog)
  uses: trufflesecurity/trufflehog@main
  with:
    path: ./
    base: ${{ github.event.repository.default_branch }}
    head: HEAD
    extra_args: >
      --only-verified
      --fail
      --format json
      --json-output trufflehog-results.json
  continue-on-error: false    # hard fail

- name: Upload results
  if: failure()
  uses: actions/upload-artifact@v4
  with:
    name: secret-scan-results
    path: trufflehog-results.json

CI: gitleaks (GitLab CI)

secret-scan:
  stage: validate
  image: zricethezav/gitleaks:latest
  script:
    - gitleaks detect
        --source .
        --config .gitleaks.toml
        --redact
        --exit-code 1
        --report-format json
        --report-path gitleaks-report.json
  artifacts:
    when: on_failure
    paths: [gitleaks-report.json]

gitleaks Configuration (.gitleaks.toml)

# .gitleaks.toml
title = "MyProject Gitleaks Config"

[extend]
useDefault = true   # use built-in rules + extend

# Custom rule: internal API keys
[[rules]]
id = "internal-api-key"
description = "Internal API Key"
regex = '''MYCOMPANY_API_KEY_[A-Za-z0-9]{32}'''
tags = ["key", "internal"]

# Allowlist: suppress known false positives
[allowlist]
description = "Global allowlist"
regexes = [
  '''EXAMPLE_.*''',       # example values in docs
  '''test_.*_key''',      # test fixtures
]
paths = [
  '''.gitleaks.toml''',   # this file itself
  '''tests/fixtures/''',  # test data
]
commits = [
  "abc123def456"          # specific commit with known false positive
]

Full Repo Audit (historical scan)

# Scan all branches and full history
trufflehog git file://. \
  --only-verified \
  --format json | tee trufflehog-full-audit.json

# Gitleaks: scan full history
gitleaks detect \
  --source . \
  --log-opts "--all" \
  --report-format json \
  --report-path gitleaks-full-audit.json

# Summary: count findings by type
cat trufflehog-full-audit.json | jq 'group_by(.DetectorName) | map({type: .[0].DetectorName, count: length})'

Incident Response: Secret Exposed in Git

# STOP: rotate the secret FIRST, before anything else
# Only after rotation (new secret is active and old one invalid):

# 1. Remove from git history using git-filter-repo (safer than filter-branch)
pip install git-filter-repo

git filter-repo \
  --replace-text <(echo 'EXPOSED_SECRET==>REMOVED') \
  --force

# 2. Force push (coordinate with team — everyone must re-clone)
git push --force --all
git push --force --tags

# 3. Notify all contributors to re-clone (old clones have the secret in history)

# 4. Check if GitHub/GitLab cached the secret (check forks, PRs, CI logs)
# GitHub: check cached pipelines in CI for the old secret
# GitLab: check CI job logs, pipeline artifacts

# 5. Audit: who may have cloned or cached the repo during exposure window
# Check VCS audit logs for clone events

# 6. File security incident report

False Positive Management

# Inline suppression (trufflehog)
SOME_VAR="obviously-not-a-secret"  # trufflehog:ignore

# Inline suppression (gitleaks)
SOME_VAR="test-value"  # gitleaks:allow

# .gitleaksignore file (commit-hash based)
# Get commit hash of false positive commit:
git log --oneline | grep "Add example config"
# Add to .gitleaksignore:
echo "abc123def456:path/to/file.yaml" >> .gitleaksignore

sawrus/secret-detection

areas/devops/devsecops/skills/secret-detection/SKILL.md

Detect secrets in code, git history, and running containers — pre-commit hooks, CI scanning, and incident response for exposed credentials.

12 stars

development

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add sawrus/agent-guides secret-detection

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 24, 2026, 9:04 PM1.8s1 file scanned

SKILL.md

name:: secret-detection
type:: skill
description:: Detect secrets in code, git history, and running containers — pre-commit hooks, CI scanning, and incident response for exposed credentials.
allowed-tools:: Read, Write, Edit, Bash

Skill: Secret Detection

Expertise: trufflehog, gitleaks, git-secrets, pre-commit hooks, CI scanning, secret rotation playbook.

When to load

When setting up secret scanning pre-commit or in CI, investigating a potential credential leak, or remediating secrets found in git history.

Pre-Commit Hook Setup

# Install pre-commit
pip install pre-commit

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/trufflesecurity/trufflehog
    rev: v3.88.0
    hooks:
      - id: trufflehog
        name: TruffleHog — secret scan
        entry: trufflehog git file://. --since-commit HEAD --only-verified --fail
        language: system
        pass_filenames: false

  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.21.0
    hooks:
      - id: gitleaks
        name: Gitleaks — detect hardcoded secrets

# Install hooks for all team members (add to onboarding docs)
pre-commit install
pre-commit install --hook-type commit-msg

# Run against all files (one-time audit)
pre-commit run trufflehog --all-files
pre-commit run gitleaks --all-files

CI: trufflehog (GitHub Actions)

- name: Scan for secrets (trufflehog)
  uses: trufflesecurity/trufflehog@main
  with:
    path: ./
    base: ${{ github.event.repository.default_branch }}
    head: HEAD
    extra_args: >
      --only-verified
      --fail
      --format json
      --json-output trufflehog-results.json
  continue-on-error: false    # hard fail

- name: Upload results
  if: failure()
  uses: actions/upload-artifact@v4
  with:
    name: secret-scan-results
    path: trufflehog-results.json

CI: gitleaks (GitLab CI)

secret-scan:
  stage: validate
  image: zricethezav/gitleaks:latest
  script:
    - gitleaks detect
        --source .
        --config .gitleaks.toml
        --redact
        --exit-code 1
        --report-format json
        --report-path gitleaks-report.json
  artifacts:
    when: on_failure
    paths: [gitleaks-report.json]

gitleaks Configuration (.gitleaks.toml)

# .gitleaks.toml
title = "MyProject Gitleaks Config"

[extend]
useDefault = true   # use built-in rules + extend

# Custom rule: internal API keys
[[rules]]
id = "internal-api-key"
description = "Internal API Key"
regex = '''MYCOMPANY_API_KEY_[A-Za-z0-9]{32}'''
tags = ["key", "internal"]

# Allowlist: suppress known false positives
[allowlist]
description = "Global allowlist"
regexes = [
  '''EXAMPLE_.*''',       # example values in docs
  '''test_.*_key''',      # test fixtures
]
paths = [
  '''.gitleaks.toml''',   # this file itself
  '''tests/fixtures/''',  # test data
]
commits = [
  "abc123def456"          # specific commit with known false positive
]

Full Repo Audit (historical scan)

# Scan all branches and full history
trufflehog git file://. \
  --only-verified \
  --format json | tee trufflehog-full-audit.json

# Gitleaks: scan full history
gitleaks detect \
  --source . \
  --log-opts "--all" \
  --report-format json \
  --report-path gitleaks-full-audit.json

# Summary: count findings by type
cat trufflehog-full-audit.json | jq 'group_by(.DetectorName) | map({type: .[0].DetectorName, count: length})'

Incident Response: Secret Exposed in Git

# STOP: rotate the secret FIRST, before anything else
# Only after rotation (new secret is active and old one invalid):

# 1. Remove from git history using git-filter-repo (safer than filter-branch)
pip install git-filter-repo

git filter-repo \
  --replace-text <(echo 'EXPOSED_SECRET==>REMOVED') \
  --force

# 2. Force push (coordinate with team — everyone must re-clone)
git push --force --all
git push --force --tags

# 3. Notify all contributors to re-clone (old clones have the secret in history)

# 4. Check if GitHub/GitLab cached the secret (check forks, PRs, CI logs)
# GitHub: check cached pipelines in CI for the old secret
# GitLab: check CI job logs, pipeline artifacts

# 5. Audit: who may have cloned or cached the repo during exposure window
# Check VCS audit logs for clone events

# 6. File security incident report

False Positive Management

# Inline suppression (trufflehog)
SOME_VAR="obviously-not-a-secret"  # trufflehog:ignore

# Inline suppression (gitleaks)
SOME_VAR="test-value"  # gitleaks:allow

# .gitleaksignore file (commit-hash based)
# Get commit hash of false positive commit:
git log --oneline | grep "Add example config"
# Add to .gitleaksignore:
echo "abc123def456:path/to/file.yaml" >> .gitleaksignore

Related Skills

sawrus/qa_expert

testing

VerifiedTrustedCommunity

QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.

12SKILL.mdUpdated Apr 18, 2026

sawrus/design_expert

development

VerifiedTrustedCommunity

Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

development

VerifiedTrustedCommunity

Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.

12SKILL.mdUpdated Apr 18, 2026

sawrus/code_review_expert

sawrus/babysit-pr

development

VerifiedTrustedCommunity

Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.

12SKILL.mdUpdated Apr 18, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/sawrus/agent-guides.git

# Copy into Claude Code skills folder (global)
cp -r agent-guides/areas/devops/devsecops/skills/secret-detection ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

sawrus/agent-guides

12 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT