security-leak-guardrails
Security Leak Guardrails
Reusable workflow for preventing secrets from entering git and for continuously scanning a repo for leaks.
Quick start
- Inventory existing security tooling (gitleaks/trufflehog, hooks, workflows, dependabot).
- Add forbidden-path checks and the hook script.
- Add gitleaks config and a local security check script.
- Add CI secret scanning and Dependabot.
- Update .gitignore and document the policy.
Workflow
Step 1: Inventory
- Check for existing .gitleaks.toml, .github/workflows/secret, dependabot.yml, and hook tooling.
- If the repo already uses hooks (husky/lefthook/pre-commit), integrate instead of replacing.
Step 2: Forbidden paths + hook
- Add .forbidden-paths.regex and keep it strict (no secrets in allowlists).
- Add scripts/hooks/block-forbidden-staged-files.mjs.
- If the repo is Node-based, add lefthook.yml and a prepare script to install hooks.
Step 3: Gitleaks
- Add .gitleaks.toml with path-based allowlists only for test fixtures.
Step 4: Local security check
- Add scripts/secleak-check.sh.
- If Node-based, add scripts in package.json: security:check and security:hooks.
Step 5: CI secret scanning
- Add a workflow that runs TruffleHog (diff and full history) and Gitleaks.
- Pin actions by SHA and use --only-verified for TruffleHog.
Step 6: Dependabot
- Add dependabot.yml for npm and GitHub Actions.
Step 7: .gitignore
- Add runtime dirs and credential patterns to avoid accidental commits.
Validation
- Run: node scripts/hooks/block-forbidden-staged-files.mjs
- Run: gitleaks git --no-banner --redact=100 --config .gitleaks.toml .
- Run: trivy fs --scanners secret,misconfig --exit-code 1 .
References
- Templates: reference.md
- Examples: examples.md
More from regenrek/agent-skills
hard-cut
Enforce a hard-cut cleanup policy: keep one canonical implementation and delete compatibility, migration, fallback, adapter, coercion, and dual-shape code. Use for pre-release or internal-draft refactors where the goal is one final shape, especially when changing schemas, contracts, persisted state, routing, configuration, feature flags, enum/value sets, or architecture.
14root-cause-finder
Performs root-cause-first debugging and review by tracing expected behavior to the first unintended side effect before changing contracts, parsing, or types. Use when debugging protocol errors, deserialization failures, null payloads, missing fields, restore or hydration issues, state-ownership bugs, unexpected requests, background mutations, or reviewing junior-created code where the visible failure may be downstream noise.
7consolidate-test-suites
Decide exactly where bug-fix test coverage belongs. Use before adding, moving, or deleting tests after a bug fix or architectural change. Select one owning layer, reuse existing canonical suites, block redundant or weakly placed tests, and remove weaker duplicates.
7git-safe-workflow
Safely inspect, stage, commit, and (only if asked) push changes made by an AI agent. Use for commit/push requests, end-of-task checkpoints, merge conflict resolution, worktree safety checks, or deciding whether to use git commit --amend.
4shellck
Run shellcheck on shell scripts after editing scripts or when debugging shell errors. Use for linting scripts in a repo (especially scripts/), catching issues like set -u with unset vars, bad subshell usage, or quoting mistakes.
3create-new-static-website
Create a new GitHub repo from instructa/astro-website-starter using gitpick, initialize git, and push to GitHub. Use when asked to spin up a new Astro static/SSR site starter from instructa/astro-website-starter, set repo visibility/owner, and then configure Alchemy.
2