shipshitdev/git-safety
bundles/github/skills/git-safety/SKILL.md
Git history secret scan.
$ install --global
skillsauthnpx skillsauth add shipshitdev/library git-safetyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 6:41 AM360.9s3 files scanned
SKILL.md
- name:
- git-safety
- description:
- Git history secret scan.
- version:
- 1.0.0
- tags:
- git, security, secrets
Git Safety Skill
Comprehensive security scanning, cleaning, and prevention for git repositories.
Contract
Inputs:
- Repository root
- Mode: scan, prevent, clean, or full
- Optional leaked path, secret pattern, or affected ref range
Outputs:
- Sensitive file/history findings
- Rotation and remediation checklist
- Commands required for prevention or history cleanup
Creates/Modifies:
- Scan mode: no file changes
- Prevent mode:
.gitignoreand optional hook updates - Clean mode: rewritten git history only after explicit confirmation
External Side Effects:
- May force-push rewritten history in clean mode
- May require credential rotation outside the repository
Confirmation Required:
- Before history rewriting
- Before force-pushing
- Before changing hooks or ignore rules in shared repos
Delegates To:
security-auditfor broader application-security reviewopen-source-checkerbefore publishing a private repo
CRITICAL WARNING
Removing secrets from git history does NOT make them safe!
Even after cleaning git history:
- GitHub is scraped by bots within seconds of a push
- Archive services may have captured snapshots
- Forks retain the original history
- CI/CD logs may contain the values
ALWAYS rotate leaked credentials immediately. Cleaning history is NOT enough.
Modes of Operation
1. /git-safety scan - Detect Sensitive Files
Scan repository for sensitive files in current state and git history.
2. /git-safety clean - Remove from History
Remove sensitive files using git-filter-repo or BFG.
3. /git-safety prevent - Set Up Prevention
Configure .gitignore and pre-commit hooks.
4. /git-safety full - Complete Audit
Run all three operations in sequence.
Sensitive File Patterns
.env, .env.*, credentials.json, service-account*.json
*.pem, *.key, id_rsa*, secrets.*, .npmrc, *.secret
Quick Commands
Scan for sensitive files in history:
git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'
Remove .env from all history:
git filter-repo --path .env --invert-paths --force
git push origin --force --all
Add to .gitignore:
echo -e "\n.env\n.env.*\n*.pem\n*.key\ncredentials.json" >> .gitignore
Emergency Response
If you've leaked credentials:
- IMMEDIATELY rotate the credential
- Check access logs
- Run
/git-safety clean - Force push cleaned history
- Notify team to re-clone
- Update .gitignore
- Set up pre-commit hooks
For complete scan commands, cleaning process with git-filter-repo/BFG, pre-commit hook setup, .gitignore templates, platform-specific guidance, and detailed emergency checklist, see: references/full-guide.md
Related Skills
shipshitdev/execution-validator
testing
VerifiedTrustedCommunity
Use this skill when users need to validate a launch plan, assess MVP scope, or determine if they're ready to execute. Activates for "validate my plan," "am I ready to launch," "is my scope too big," or when assessing action readiness.
24SKILL.mdUpdated Jun 4, 2026
shipshitdev/execution-accelerator
testing
VerifiedTrustedCommunity
Use this skill when users are stuck on a decision, overthinking, experiencing analysis paralysis, or need to ship faster. Activates for "should I wait," "I can't decide," "I'm overthinking," or when speed is critical and perfectionism is the enemy.
24SKILL.mdUpdated Jun 4, 2026
shipshitdev/early-hiring-advisor
development
VerifiedTrustedCommunity
Use this skill when users need to make early hires, build their founding team, determine compensation/equity, decide who to hire first, or scale from founders to first employees. Activates for "who should I hire first," "early hiring," "equity for employees," or team building questions.
24SKILL.mdUpdated Jun 4, 2026
shipshitdev/constraint-eliminator
data-ai
VerifiedTrustedCommunity
Use this skill when users need to remove customer friction, improve customer success, handle objections, design guarantees, or eliminate obstacles between customers and results. Activates for customer success issues, objection handling, or "customers can't get results" problems.
24SKILL.mdUpdated Jun 4, 2026