← Back to Skills Marketplace
Git Secrets Scanner
by
Guohongbin
· GitHub ↗
· v1.0.0
1477
Downloads
0
Stars
11
Active Installs
1
Versions
Install in OpenClaw
/install git-secrets-scanner
Description
Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token)
README (SKILL.md)
Git 安全扫描器
检查提交中的敏感信息泄露。
工具对比
| 工具 | Stars | 特点 |
|---|---|---|
| Gitleaks | 24,958 | 最流行,Go 编写,快速 |
| TruffleHog | 24,612 | 验证 secrets,支持多种格式 |
| git-secrets | 13,173 | AWS 官方,pre-commit hook |
安装
Gitleaks(推荐)
# macOS
brew install gitleaks
# Linux
# 从 https://github.com/gitleaks/gitleaks/releases 下载
# 或使用 Go
go install github.com/gitleaks/gitleaks/v8@latest
TruffleHog
# macOS
brew install trufflehog
# Linux
# 从 https://github.com/trufflesecurity/trufflehog/releases 下载
# 或使用 Docker
docker pull trufflesecurity/trufflehog:latest
git-secrets
# macOS
brew install git-secrets
# Linux
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
使用方法
1. 扫描当前仓库
# Gitleaks
gitleaks detect --source . -v
# TruffleHog
trufflehog git file://. --only-verified
# git-secrets(需要先设置 hook)
git secrets --scan-history
2. 扫描特定提交
# Gitleaks
gitleaks detect --source . --log-opts="HEAD~1..HEAD"
# TruffleHog
trufflehog git file://. --commit=HEAD
3. 扫描所有历史
# Gitleaks
gitleaks detect --source . --log-opts="--all"
# TruffleHog
trufflehog git file://. --no-deletion
4. 设置 pre-commit hook
# git-secrets
cd your-repo
git secrets --install
git secrets --register-aws
5. CI/CD 集成
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
检测的内容
API Keys
- AWS Access Keys
- GitHub Tokens
- Slack Tokens
- Stripe Keys
- Moltbook API Keys ✨
密码
- 数据库密码
- SMTP 密码
- SSH 密钥
Token
- OAuth Tokens
- JWT Tokens
- Bearer Tokens
其他
- 私钥
- 证书
- .env 文件
输出示例
Finding: moltbook_sk_jX64MWE_yirqMSihBqb2B7slL64EygBt
Secret: moltbook_sk_jX64MWE_yirqMSihBqb2B7slL64EygBt
RuleID: generic-api-key
Entropy: 4.562345
File: memory/moltbook-art-of-focus-post.md
Line: 45
Commit: abc1234
Author: [email protected]
Date: 2026-02-19T03:11:00Z
Fingerprint: abc123...
最佳实践
1. 提交前扫描
# 添加到 .git/hooks/pre-commit
#!/bin/bash
gitleaks protect --staged
2. 定期扫描
# 每周扫描
crontab -e
0 0 * * 0 cd /path/to/repo && gitleaks detect --source .
3. 扫描多个仓库
#!/bin/bash
for repo in ~/projects/*; do
echo "Scanning $repo..."
gitleaks detect --source "$repo" -v
done
修复泄露的 Secret
如果发现泄露:
- 立即撤销 - 重新生成 API key
- 删除历史 - 从 git 历史中删除敏感信息
- 强制推送 -
git push --force(谨慎使用) - 通知团队 - 告知其他开发者
使用 BFG 清理历史
# 安装 BFG
brew install bfg
# 清理敏感文件
bfg --delete-files .env
# 清理敏感字符串
bfg --replace-text passwords.txt
# 强制推送
git push --force
配置文件
.gitleaks.toml
title = "Custom Gitleaks Config"
[extend]
useDefault = true
[[rules]]
id = "moltbook-api-key"
description = "Moltbook API Key"
regex = '''moltbook_sk_[a-zA-Z0-9]{32}'''
tags = ["api-key", "moltbook"]
[allowlist]
paths = [
'''example\.txt''',
'''test/.*'''
]
注意事项
- False Positives - 扫描器可能误报
- 熵值 - 高熵值可能是敏感信息
- 上下文 - 检查是否真的敏感
- 验证 - TruffleHog 可以验证 secret 是否有效
版本: 1.0.0 工具: Gitleaks, TruffleHog, git-secrets
Usage Guidance
This guide appears coherent and uses well-known tools, but be cautious before following destructive steps: back up repositories before rewriting history or running BFG and be careful with `git push --force`. When enabling pre-commit hooks review the hook scripts first. If you enable CI scans, give tokens (e.g., GITHUB_TOKEN) least privilege. Note that TruffleHog's validation may contact external services — if that is a concern, disable validation or run scans offline. Finally, install the recommended tools from their official project pages (not from random mirrors) and avoid running unknown install scripts as root.
Capability Analysis
Type: OpenClaw Skill
Name: git-secrets-scanner
Version: 1.0.0
The skill bundle is designed for a legitimate security purpose: scanning Git repositories for leaked secrets. However, the `SKILL.md` file includes instructions for powerful and potentially destructive commands like `bfg` and `git push --force` to remediate secret leaks. While these commands are legitimate tools for their stated purpose, their inclusion represents a significant risk if an AI agent were to execute them without explicit user confirmation and robust safeguards, potentially leading to irreversible data loss or repository corruption. This constitutes a risky capability without clear malicious intent, classifying it as suspicious rather than malicious.
Capability Assessment
Purpose & Capability
Name/description, required binaries (git), and the instructions all center on scanning git repositories for secrets using gitleaks/trufflehog/git-secrets. There are no unrelated required env vars, binaries, or config paths.
Instruction Scope
SKILL.md stays on-topic (how to install and run scanners, pre-commit hooks, CI integration, history cleanup). It also includes potentially destructive but relevant guidance (BFG, git history rewriting, and `git push --force`) and a sample script for scanning multiple repos or scheduling scans which could access many repositories — these are within scope but carry operational risk. The doc mentions TruffleHog 'validation' (which can contact external services to verify secrets); users should be aware validation may send candidates to remote endpoints.
Install Mechanism
This is instruction-only (no install spec). The doc recommends installing tools via official channels (Homebrew, GitHub releases, Go install, Docker, or building from the tools' repos). No opaque download URLs or archive extraction from unknown hosts are suggested by the skill itself.
Credentials
The skill declares no required environment variables or credentials. The CI example uses GITHUB_TOKEN (normal for GitHub Actions) and git-secrets--register-aws is suggested (which configures rules rather than requiring AWS credentials). Overall requested access is proportional to scanning tasks.
Persistence & Privilege
always:false and user-invocable:true (no forced persistent presence). There is no attempt to modify other skills or system-wide agent settings in the instructions.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install git-secrets-scanner - After installation, invoke the skill by name or use
/git-secrets-scanner - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release - Detect API keys and secrets in git commits
Metadata
Frequently Asked Questions
What is Git Secrets Scanner?
Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token). It is an AI Agent Skill for Claude Code / OpenClaw, with 1477 downloads so far.
How do I install Git Secrets Scanner?
Run "/install git-secrets-scanner" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Git Secrets Scanner free?
Yes, Git Secrets Scanner is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Git Secrets Scanner support?
Git Secrets Scanner is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Git Secrets Scanner?
It is built and maintained by Guohongbin (@guohongbin-git); the current version is v1.0.0.
More Skills