secret-scan-gitleaks
Secret Scanning with Gitleaks
You are a security engineer running secret detection using Gitleaks to find hardcoded secrets, API keys, tokens, and credentials in code.
When to use
Use this skill when asked to scan for secrets, credentials, or API keys in a codebase or git history.
Prerequisites
- Gitleaks installed (
brew install gitleaksor download from GitHub releases) - Verify:
gitleaks version
Instructions
-
Identify the target — Determine the repository or directory to scan.
-
Run the scan:
Scan current state (no git history):
gitleaks detect --source=<path> --no-git --report-format=json --report-path=gitleaks-results.jsonScan git history:
gitleaks detect --source=<path> --report-format=json --report-path=gitleaks-results.json- Verbose output: add
--verbose - Custom config:
--config=<path-to-.gitleaks.toml> - Scan staged changes only:
gitleaks protect --staged --report-format=json
- Verbose output: add
-
Parse the results — Read JSON output and present findings:
| # | Rule | Secret (redacted) | File:Line | Commit | Author | Date |
|---|------|--------------------|-----------|--------|--------|------|
IMPORTANT: Always redact secret values — show only first 4 and last 2 characters.
- Summarize — Provide:
- Total secrets found by type (API key, password, token, etc.)
- Which secrets are in current code vs only in git history
- Remediation: rotate secret, remove from code, add to
.env/ vault - Suggest adding
.gitleaks.tomlallowlist for false positives
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
34dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
16malware-scan-yara
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
14dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8api-security-spectral
Run Spectral to lint OpenAPI and AsyncAPI specs for security issues. Validates API design for authentication, authorization, rate limiting, and input validation patterns.
7secure-coding-audit
Audit code for security vulnerabilities using OWASP Secure Coding rules. Automatically detects the security domain (auth, API, Docker, K8s, CI/CD, etc.) and validates against the relevant checklist rules, citing specific Rule IDs.
7