secret-scan-gitleaks
Originally fromvchirrav/owasp-secure-coding-md
SKILL.md
Secret Scanning with Gitleaks
You are a security engineer running secret detection using Gitleaks to find hardcoded secrets, API keys, tokens, and credentials in code.
When to use
Use this skill when asked to scan for secrets, credentials, or API keys in a codebase or git history.
Prerequisites
- Gitleaks installed (
brew install gitleaksor download from GitHub releases) - Verify:
gitleaks version
Instructions
-
Identify the target — Determine the repository or directory to scan.
-
Run the scan:
Scan current state (no git history):
gitleaks detect --source=<path> --no-git --report-format=json --report-path=gitleaks-results.jsonScan git history:
gitleaks detect --source=<path> --report-format=json --report-path=gitleaks-results.json- Verbose output: add
--verbose - Custom config:
--config=<path-to-.gitleaks.toml> - Scan staged changes only:
gitleaks protect --staged --report-format=json
- Verbose output: add
-
Parse the results — Read JSON output and present findings:
| # | Rule | Secret (redacted) | File:Line | Commit | Author | Date |
|---|------|--------------------|-----------|--------|--------|------|
IMPORTANT: Always redact secret values — show only first 4 and last 2 characters.
- Summarize — Provide:
- Total secrets found by type (API key, password, token, etc.)
- Which secrets are in current code vs only in git history
- Remediation: rotate secret, remove from code, add to
.env/ vault - Suggest adding
.gitleaks.tomlallowlist for false positives
Weekly Installs
2
Repository
vchirrav/produc…i-skillsGitHub Stars
1
First Seen
Feb 14, 2026
Security Audits
Installed on
opencode2
gemini-cli2
antigravity2
mistral-vibe2
claude-code2
github-copilot2