Security Scanning
Core Principles
- •Defense in depth - Multiple checkpoints (pre-commit, pre-push, CI/CD)
- •Never commit secrets - Use 1Password references or environment variables
- •Scan before commit - Catch issues early
- •Custom rules for domain-specific PII - Serial numbers, device IDs, etc.
Tools
gitleaks
- •Scans git history for secrets
- •Configurable rules
- •Pre-commit and pre-push hooks
Custom PII Detection
- •Serial numbers
- •Device identifiers
- •System-specific sensitive data
gitleaks Configuration
Basic Usage
bash
# Scan current directory gitleaks detect --source . --config .gitleaks.toml -v # Scan before commit gitleaks protect --staged --config .gitleaks.toml -v
Configuration File
Location: .gitleaks.toml
toml
[extend]
# Use default rules
useDefault = true
[allowlist]
# Allowlist specific files/patterns
paths = [
'''upstream/.*''', # Upstream repos may contain test secrets
]
Custom PII Rules
Serial Number Detection
Add to .gitleaks.toml:
toml
[[rules]]
id = "macos-serial-number"
description = "macOS Serial Number"
regex = '''\b[A-Z0-9]{12}\b'''
Device Identifier Detection
toml
[[rules]]
id = "device-identifier"
description = "Device Identifier"
regex = '''\b[A-Z0-9]{8}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{4}-[A-Z0-9]{12}\b'''
Pre-commit Hooks
Setup
bash
# Install pre-commit brew install pre-commit # Install hooks pre-commit install
Configuration
Location: .pre-commit-config.yaml
yaml
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.0
hooks:
- id: gitleaks
Secret Management
1Password Integration
Use 1Password references in config files:
json
{
"GITHUB_TOKEN": "op://Development/GitHub/token"
}
Then use op run to inject secrets at runtime:
bash
op run --env-file=.env -- script.sh
Environment Variables
Use .envrc with direnv:
bash
# .envrc export GITHUB_TOKEN=$(op read "op://Development/GitHub/token")
Scanning Workflow
Before Committing
bash
# Run security scan task security:scan # Or directly gitleaks protect --staged --config .gitleaks.toml -v
Before Pushing
Pre-push hook automatically runs gitleaks.
In CI/CD
GitHub Actions workflow runs gitleaks on every push/PR.
Screenshot Handling
OCR and Redaction
bash
# Analyze screenshots for PII ./scripts/analyze-screenshots.sh # Redact sensitive information ./scripts/redact-screenshots.sh
Best Practices
- •Move screenshots to data-private-2026/screenshots/
- •Run OCR analysis before committing
- •Redact sensitive data (serial numbers, paths, etc.)
- •Review manually for context-specific sensitive info
Anti-Patterns
❌ Don't Do This
bash
# Hardcoding secrets export API_KEY="sk-1234567890abcdef" # ❌ Never! # Committing .env files git add .env # ❌ Contains secrets # Ignoring security scans git commit --no-verify # ❌ Bypasses hooks
✅ Do This Instead
bash
# Use 1Password references export API_KEY="op://Development/API/key" # ✅ # Use .env.example for templates git add .env.example # ✅ Safe template # Always run security scans task security:scan # ✅ Before committing
Integration with Other Skills
- •bash-scripting: Security scanning scripts
- •systematic-debugging: Troubleshooting scan failures
References
- •
.gitleaks.toml- gitleaks configuration - •
.pre-commit-config.yaml- Pre-commit hooks - •
scripts/security-scan.sh- Security scanning script - •
learning/LEARNING_LOG.md#LL-013- PII detection patterns