AgentSkillsCN

security-scanning

利用gitleaks、PII检测与秘密扫描进行安全扫描。当用户编写处理敏感数据的脚本、提交代码,或着手构建安全自动化时,即可使用此服务。涵盖gitleaks配置、自定义PII规则,以及预提交钩子。

SKILL.md
--- frontmatter
name: security-scanning
description: Security scanning patterns using gitleaks, PII detection, and secret scanning. Use when writing scripts that handle sensitive data, committing code, or setting up security automation. Includes gitleaks configuration, custom PII rules, and pre-commit hooks.

Security Scanning

Core Principles

  1. Defense in depth - Multiple checkpoints (pre-commit, pre-push, CI/CD)
  2. Never commit secrets - Use 1Password references or environment variables
  3. Scan before commit - Catch issues early
  4. Custom rules for domain-specific PII - Serial numbers, device IDs, etc.

Tools

gitleaks

  • Scans git history for secrets
  • Configurable rules
  • Pre-commit and pre-push hooks

Custom PII Detection

  • Serial numbers
  • Device identifiers
  • System-specific sensitive data

gitleaks Configuration

Basic Usage

bash
# Scan current directory
gitleaks detect --source . --config .gitleaks.toml -v

# Scan before commit
gitleaks protect --staged --config .gitleaks.toml -v

Configuration File

Location: .gitleaks.toml

toml
[extend]
# Use default rules
useDefault = true

[allowlist]
# Allowlist specific files/patterns
paths = [
    '''upstream/.*''',  # Upstream repos may contain test secrets
]

Custom PII Rules

Serial Number Detection

Add to .gitleaks.toml:

toml
[[rules]]
id = "macos-serial-number"
description = "macOS Serial Number"
regex = '''\b[A-Z0-9]{12}\b'''

Device Identifier Detection

toml
[[rules]]
id = "device-identifier"
description = "Device Identifier"
regex = '''\b[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\b'''

Pre-commit Hooks

Setup

bash
# Install pre-commit
brew install pre-commit

# Install hooks
pre-commit install

Configuration

Location: .pre-commit-config.yaml

yaml
repos:
  - repo: https://github.com/gitleaks/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

Secret Management

1Password Integration

Use 1Password references in config files:

json
{
  "GITHUB_TOKEN": "op://Development/GitHub/token"
}

Then use op run to inject secrets at runtime:

bash
op run --env-file=.env -- script.sh

Environment Variables

Use .envrc with direnv:

bash
# .envrc
export GITHUB_TOKEN=$(op read "op://Development/GitHub/token")

Scanning Workflow

Before Committing

bash
# Run security scan
task security:scan

# Or directly
gitleaks protect --staged --config .gitleaks.toml -v

Before Pushing

Pre-push hook automatically runs gitleaks.

In CI/CD

GitHub Actions workflow runs gitleaks on every push/PR.

Screenshot Handling

OCR and Redaction

bash
# Analyze screenshots for PII
./scripts/analyze-screenshots.sh

# Redact sensitive information
./scripts/redact-screenshots.sh

Best Practices

  1. Move screenshots to data-private-2026/screenshots/
  2. Run OCR analysis before committing
  3. Redact sensitive data (serial numbers, paths, etc.)
  4. Review manually for context-specific sensitive info

Anti-Patterns

❌ Don't Do This

bash
# Hardcoding secrets
export API_KEY="sk-1234567890abcdef"  # ❌ Never!

# Committing .env files
git add .env  # ❌ Contains secrets

# Ignoring security scans
git commit --no-verify  # ❌ Bypasses hooks

✅ Do This Instead

bash
# Use 1Password references
export API_KEY="op://Development/API/key"  # ✅

# Use .env.example for templates
git add .env.example  # ✅ Safe template

# Always run security scans
task security:scan  # ✅ Before committing

Integration with Other Skills

  • bash-scripting: Security scanning scripts
  • systematic-debugging: Troubleshooting scan failures

References

  • .gitleaks.toml - gitleaks configuration
  • .pre-commit-config.yaml - Pre-commit hooks
  • scripts/security-scan.sh - Security scanning script
  • learning/LEARNING_LOG.md#LL-013 - PII detection patterns