← 返回 Skills 市场
gitleaks (
shipguard (
Pre-commit config (
Git Security Scanner
作者
Maxime Roy (new.blacc)
· GitHub ↗
· v1.0.1
· MIT-0
256
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install git-security-scanner
功能描述
Unified security scanner that catches leaked secrets, credentials, and code vulnerabilities before they reach your remote. Wraps gitleaks (400+ secret patter...
使用说明 (SKILL.md)
Git Security Scanner
Scan your git repositories for leaked secrets, credentials, and security vulnerabilities in one command. Combines gitleaks (pattern-based secret detection) and shipguard (48+ SAST rules across 7 security layers) into a unified scanner with merged reporting.
What You Get
Two Scanning Engines
| Engine | What it does | Rules |
|---|---|---|
| gitleaks | Pattern-based secret detection across files and git history | 400+ built-in rules, custom .gitleaks.toml support |
| shipguard | Static analysis for secrets, shell injection, code injection, supply chain, config issues | 48+ rules: SEC-001–015, SHELL-001–009, PY-001–012, JS-001–008, GHA-001–005, CFG-001–003, SC-001–006 |
Scanning Modes
| Mode | Command | What it checks |
|---|---|---|
| Quick scan | git-security-scan |
Current working tree |
| Staged only | git-security-scan --staged-only |
Only staged files — for pre-commit hooks |
| Full history | git-security-scan --full-history |
Entire git history — finds secrets in old commits |
| Custom severity | git-security-scan --severity critical |
Filter by minimum severity level |
What It Catches
Secrets (gitleaks + shipguard SEC rules):
- API keys (AWS, GCP, Azure, OpenAI, Anthropic, Stripe, GitHub, Slack, etc.)
- Database connection strings with embedded passwords
- SSH private keys and PEM files
- JWT tokens and session secrets
- Hardcoded passwords in config files
.envfiles accidentally staged- Credentials in comments or docstrings
Code vulnerabilities (shipguard SAST rules):
- Shell command injection (
SHELL-001–009) - Python code injection:
eval(),exec(), unsafe pickle, SQL injection (PY-001–012) - JavaScript injection:
innerHTML,eval(), prototype pollution (JS-001–008) - GitHub Actions injection: script injection, unpinned actions (
GHA-001–005) - Config issues: debug mode in production, permissive CORS, exposed admin routes (
CFG-001–003) - Supply chain: unpinned dependencies, missing lockfiles, unsigned artifacts (
SC-001–006)
Output Formats
| Format | Flag | Use case |
|---|---|---|
| Terminal (default) | --format terminal |
Color-coded findings with severity icons |
| Markdown | --format markdown |
PR comments, documentation, reports |
| JSON | --format json |
CI/CD integration, programmatic analysis |
| SARIF | --format sarif |
GitHub Security tab integration |
Installation
Prerequisites
# macOS
brew install gitleaks
pipx install shipguard # or: pip install shipguard
# Linux
# gitleaks: download from https://github.com/gitleaks/gitleaks/releases
# shipguard:
pipx install shipguard
Install the Skill
clawhub install git-security-scanner
This adds the git-security-scan wrapper script and the skill definition.
Set Up Pre-Commit Hook
git-security-scan --install-hooks
This installs a pre-commit hook in the current repo that runs git-security-scan --staged-only --severity high on every commit. Commits with critical or high severity findings are blocked.
Usage
CLI
# Scan current directory
git-security-scan
# Scan a specific project
git-security-scan /path/to/project
# Pre-commit mode (staged files only, block on high+)
git-security-scan --staged-only --severity high
# Full git history audit
git-security-scan --full-history
# Generate a markdown report
git-security-scan --format markdown --output report.md
# JSON for CI pipelines
git-security-scan --format json --output .security-reports/scan.json
# Skip one engine
git-security-scan --skip-gitleaks # shipguard only
git-security-scan --skip-shipguard # gitleaks only
AI Assistant Prompts
Quick scan:
"Scan this repo for leaked secrets and security vulnerabilities"
Pre-commit setup:
"Set up pre-commit hooks to block secrets before they're committed"
Full history audit:
"Audit the entire git history for any credentials that were ever committed"
Custom rules:
"Add a gitleaks rule to catch hardcoded Proxmox API tokens"
Targeted scan:
"Run shipguard on just the Python files with severity high or above"
Configuration
gitleaks (.gitleaks.toml)
Create in your repo root to add custom secret patterns:
[extend]
useDefault = true
[[rules]]
id = "proxmox-api-token"
description = "Proxmox API Token"
regex = '''PVEAPIToken=[A-Za-z0-9@!]+:[A-Za-z0-9-]+'''
shipguard (.shipguard.yml)
Create in your repo root to configure SAST rules:
severity_threshold: medium
exclude_paths:
- tests/fixtures/
- node_modules/
- "*.min.js"
disable_rules:
- JS-008 # skip specific rule
Pre-commit config (.shipguard-precommit.yml)
Stricter settings for the pre-commit hook:
severity_threshold: high
exclude_paths:
- tests/
- docs/
Report Example
Terminal output:
============================================================
Git Security Scan Report
============================================================
Directory: /home/user/my-project
Timestamp: 2026-03-19T10:30:00Z
Tools: gitleaks (2 findings)
shipguard (3 findings)
Findings: 5 critical: 1 high: 1 medium: 3
🔴 [CRITICAL] aws-access-key-id (gitleaks)
config/settings.py:42
AWS access key ID detected
> AKIAIOSFODNN7EXAMPLE
Fix: Rotate this credential immediately. Remove from git history.
🟠 [HIGH] SEC-003 (shipguard)
src/api.py:18
Hardcoded database password in connection string
> db_url = "postgres://admin:p4ssw0rd@localhost/app"
Fix: Use environment variables instead of hardcoded credentials.
🟡 [MEDIUM] PY-003 (shipguard)
src/utils.py:55
Use of eval() with user-controlled input
> result = eval(user_expression)
Fix: Use ast.literal_eval() or a safe expression parser.
Remediation Workflow
When critical/high findings are detected:
- Rotate the credential — Assume it's compromised if it was ever in git history
- Remove from history —
git filter-repo --invert-paths --path \x3Cfile>or BFG Repo Cleaner - Add to
.gitignore— Prevent re-staging of secret files - Use environment variables — Move secrets to
.env(excluded from git) or a secret manager - Re-scan — Run
git-security-scan --full-historyto confirm the fix
Troubleshooting
| Problem | Fix |
|---|---|
| VirusTotal "suspicious" warning on install | This is a false positive — the skill describes secret patterns and vulnerability types, which triggers pattern detection. Use clawhub install git-security-scanner --force to proceed. Review the SKILL.md yourself to confirm. |
gitleaks not found |
brew install gitleaks (macOS) or download from gitleaks releases |
shipguard not found |
pipx install shipguard or pip install shipguard |
| No findings but secrets exist | Check if .gitleaks.toml or .shipguard.yml is excluding the path. Try --severity low to see all findings. |
| Scan is slow | --full-history scans every commit. Use default mode (working tree only) for quick checks. |
Links
- gitleaks: https://github.com/gitleaks/gitleaks
- shipguard: https://github.com/celstnblacc (part of ai_spec_sec)
- License: MIT-0 (this skill) / Apache 2.0 (source tools)
Built by celstnblacc — gitleaks 8.30.0 + shipguard 0.3.2 (48+ SAST rules, 4 output formats).
安全使用建议
This skill appears to do what it claims, but check a few things before installing: 1) verify how the 'git-security-scan' wrapper is provided — the package contains no install spec or script, so confirm 'clawhub install' actually supplies it or be prepared to run the tools directly; 2) install gitleaks and shipguard from their official sources (GitHub releases / pipx) and verify signatures if available; 3) test the scanner in a disposable repo first because pre-commit hooks will be installed and can block commits; 4) remember scan outputs can include sensitive strings (detected secrets) — treat reports and generated files as sensitive. If any of these points are unclear, request the wrapper code or a full install spec from the skill author before use.
功能分析
Type: OpenClaw Skill
Name: git-security-scanner
Version: 1.0.1
The skill documentation (SKILL.md) contains a troubleshooting section that explicitly instructs users to ignore security warnings (e.g., VirusTotal) and use a '--force' flag for installation, which is a common social engineering tactic to bypass security controls. While the tool's stated purpose is security scanning, the actual implementation code for the 'git-security-scan' wrapper is missing from the bundle, and the primary dependency 'shipguard' is linked to the author's personal repository (celstnblacc), making the instruction to bypass security checks highly concerning.
能力评估
Purpose & Capability
The name/description match the declared dependencies: gitleaks for secret patterns and shipguard (Python) for SAST. Requiring gitleaks and python3 (for shipguard) is expected for this functionality. No unrelated credentials or system-level access are requested.
Instruction Scope
SKILL.md only instructs scanning git working trees/history, installing pre-commit hooks, and creating repo-level config files (.gitleaks.toml, .shipguard.yml). It does not ask the agent to read unrelated system files or environment variables, nor to transmit data to unexpected external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec or code files. SKILL.md suggests running 'clawhub install' which 'adds the git-security-scan wrapper script', but no wrapper or installer is present in the package. The recommended installs for gitleaks (brew/GitHub releases) and shipguard (pipx/pip) are reasonable and from typical sources, but you should verify who provides the wrapper script or whether you must create it yourself.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. It does write repo-local artifacts (pre-commit hook and config files) which are proportional to its stated behavior.
Persistence & Privilege
always:false and user-invocable:false mean it won't be force-enabled. The one persistence-related action is installing a repo pre-commit hook that can block commits on high/critical findings — this is expected behavior but you should be aware it modifies .git/hooks and can affect commit workflows.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install git-security-scanner - 安装完成后,直接呼叫该 Skill 的名称或使用
/git-security-scanner触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Add troubleshooting section with VirusTotal false positive note
v1.0.0
- Initial release of Git Security Scanner.
- Unified wrapper for gitleaks (400+ secret patterns) and shipguard (48+ SAST rules) for comprehensive security scanning on git repositories.
- Supports quick scans, staged-only scans (for pre-commit), full git history audits, and custom severity filtering.
- Outputs findings in terminal, Markdown, JSON, or SARIF formats for flexible reporting.
- Enables easy installation, pre-commit hook setup, and custom rule configuration.
- Helps detect leaked secrets, credentials, code injection vulnerabilities, and configuration/security issues before pushing code.
元数据
常见问题
Git Security Scanner 是什么?
Unified security scanner that catches leaked secrets, credentials, and code vulnerabilities before they reach your remote. Wraps gitleaks (400+ secret patter... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 256 次。
如何安装 Git Security Scanner?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install git-security-scanner」即可一键安装,无需额外配置。
Git Security Scanner 是免费的吗?
是的,Git Security Scanner 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Git Security Scanner 支持哪些平台?
Git Security Scanner 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Git Security Scanner?
由 Maxime Roy (new.blacc)(@celstnblacc)开发并维护,当前版本 v1.0.1。
推荐 Skills