AgentSkillsCN

secrets-audit

利用 gitleaks 扫描仓库,及时发现并防范意外提交的敏感信息与凭证。

SKILL.md
--- frontmatter
name: secrets-audit
description: "Scan repository for accidentally committed secrets and credentials using gitleaks."
last_updated: 2026-01-10
tools_required: [Bash]
agent_type: main_agent

Secrets Audit

Scan for accidentally committed secrets and credentials.

[GOAL]

Find and remediate any exposed secrets in the repository.

[CONTEXT]

Uses gitleaks (1000+ built-in patterns + entropy analysis) to detect:

  • API keys (OpenAI, Google, AWS, etc.)
  • Auth tokens and bearer tokens
  • Passwords and credentials
  • High-entropy strings

Excludes: Journal/, .obsidian/, node_modules/

[PROCESS]

1. Run audit

bash
gitleaks detect --source . --verbose

2. Review findings

If secrets found:

code
SECRETS DETECTED

Finding:     openai-key
Secret:      sk-proj-***REDACTED***
File:        path/to/file.md:215

If clean:

code
NO SECRETS DETECTED
Repository is clean!

3. Remediate (if needed)

For each secret found:

  1. Remove from file:

    code
    sk-proj-ACTUAL_KEY → sk-proj-YOUR_KEY_HERE

  2. Move to ~/.secrets/:

    bash
    echo "OPENAI_API_KEY=sk-proj-ACTUAL_KEY" >> ~/.secrets/openai

  3. Update documentation:

    markdown
    # Before
API Key: `sk-proj-ACTUAL_KEY`

# After
API Key: `source ~/.secrets/openai && echo $OPENAI_API_KEY`

  4. Rotate the secret - Generate new key from provider

  5. (Optional) Clean git history:

    bash
    git-filter-repo --path "file-with-secret.md" --invert-paths

[WHEN TO USE]

  • Regular audits: Weekly or monthly
  • Before important commits: Double-check sensitive work
  • After adding integrations: Verify no new API keys exposed
  • Security reviews: Part of periodic hygiene

[IMPORTANT]

  • Pre-commit hook automatically blocks commits with secrets
  • Can bypass with --no-verify (not recommended)
  • False positives can be added to .gitleaks.toml allowlist

See Also

  • .gitleaks.toml - Audit configuration