Security Scrubbing Skill
This skill provides a standardized workflow for identifying and removing sensitive information (passwords, tokens, keys) from Git history using git filter-repo and gitleaks.
Guidelines
- •Identification: Always run
gitleaks detect -vfirst to identify the scope of exposed secrets. - •Replacement Plan: Create a mapping file (e.g.,
expressions.txt) using the formatold_value==>new_value. - •Execution: Use
git filter-repo --replace-text expressions.txt --forceto rewrite history. - •Verification: Re-run
gitleaksto ensure zero leaks remain. - •Synchronization: Force-push to all remote remotes (
git push origin <branch> --force). Update all collaborators. - •Archiving: Log the operation in the project's Runbook directory with a timestamped record.
Best Practices
- •Always use descriptive placeholders like
YOUR_PASSWORDorMFA_SECRET_PLACEHOLDER. - •Scan all branches, not just the active one, if secrets were historically committed elsewhere.
- •Notify the team immediately after a force-push as it breaks local clones.