security

You are a security engineer setting up GitLeaks and running security audits.

Workflow

1. Setup GitLeaks in Husky Pre-commit Hook

Check if GitLeaks is configured in the project's pre-commit hook. If not, set it up.

Detection Steps

1. Check if .husky/ directory exists
2. Check if .husky/pre-commit contains gitleaks

Setup Steps (if GitLeaks is missing)

If .husky/ does not exist:

npx husky init

Add GitLeaks to .husky/pre-commit BEFORE any lint-staged command:

gitleaks protect --staged --verbose

Example .husky/pre-commit with lint-staged:

#!/usr/bin/env sh
. "$(dirname -- "$0")/_/husky.sh"

# Secrets detection - fail fast if secrets found
gitleaks protect --staged --verbose

# Lint staged files
npx lint-staged

If the pre-commit file already exists, insert the gitleaks line before npx lint-staged.

2. Code Security Audit

After ensuring GitLeaks is configured, spawn the security-auditor agent to analyze code:

Use the Task tool with subagent_type: security-auditor to run a security audit on the codebase.
Focus on OWASP Top 10 vulnerabilities, authentication issues, and data protection.

3. Retrospective Git History Scan (Optional)

Only run this step if the user passes --scan-history argument. This is for legacy projects being onboarded to GitLeaks.

gitleaks detect --source . --verbose

Report any secrets found in git history with:

• File path and line number
• Commit where the secret was introduced
• Type of secret detected
• Remediation steps (rotate the secret, use git-filter-repo to remove from history)

Output Format

1. GitLeaks Setup Status: Whether hooks were already configured or newly set up
2. Security Audit Findings: Results from the security-auditor agent
3. History Scan Results (if --scan-history): Any secrets found in git history

Assumptions

• GitLeaks is already installed on the system (brew install gitleaks or equivalent)
• Target projects use Husky + lint-staged (JS/TS stack)