Repository Security Clean
Scans the repository for security issues and automatically remediates them. This is the action-oriented companion to /repo-security-scan.
Invocation
/repo-security-clean "clean up security issues" "fix the security problems" "remove sensitive data from the repo" "sanitise this repository"
Prerequisites
First run /repo-security-scan to generate a report, OR this skill will run a scan first.
Workflow
Step 1: Check for Existing Scan
Look for recent scan report:
ls -t security/*-scan.md 2>/dev/null | head -1
If scan exists from today: Use it
If no recent scan: Run /repo-security-scan first
Step 2: Parse Findings
Read the scan report and extract actionable items (High and Medium priority).
Build a remediation queue:
[H1] Hardcoded API key in config/services.rb:42 [H2] Private key tracked in certs/server.key [M1] SQL injection risk in app/models/user.rb:87 [M2] Debug mode enabled in config/production.yml
Step 3: Confirm Scope
Present findings and ask for confirmation:
Found 4 issues to remediate: High Priority (2): [H1] Hardcoded API key - config/services.rb:42 [H2] Private key tracked - certs/server.key Medium Priority (2): [M1] SQL injection risk - app/models/user.rb:87 [M2] Debug mode enabled - config/production.yml Options: - Fix all (recommended) - Fix High only - Select individually - Cancel
Step 4: Remediate Each Issue
Process each issue based on its type:
Hardcoded Secrets
Detection: API keys, passwords, tokens in code
Remediation:
- •Identify the secret type and variable name
- •Add to
.env.examplewith placeholder:codeAPI_KEY=your_api_key_here
- •Update code to read from environment:
ruby
# Before api_key = "sk-abc123..." # After api_key = ENV.fetch('API_KEY') - •Ensure
.envis in.gitignore - •Warn user: "Secret was exposed in git history. Rotate this credential immediately."
Tracked Sensitive Files
Detection: Private keys, credentials files, .env files in git
Remediation:
- •Add pattern to
.gitignore:code*.pem *.key .env
- •Remove from git tracking (keep file):
bash
git rm --cached <file>
- •Ask user: "Remove from git history entirely? (requires force push)"
- •If yes: Use
git filter-repoor BFG - •If no: Just untrack, warn about history
- •If yes: Use
SQL Injection
Detection: String interpolation in queries
Remediation:
# Before
User.where("name = '#{params[:name]}'")
# After
User.where(name: params[:name])
For complex queries:
# Before
User.where("name LIKE '%#{params[:q]}%'")
# After
User.where("name LIKE ?", "%#{params[:q]}%")
Command Injection
Detection: User input in system/exec calls
Remediation:
# Before
system("convert #{params[:file]} output.png")
# After
system("convert", params[:file], "output.png")
For shell commands, use array form or escape:
# Using Shellwords
require 'shellwords'
system("convert #{Shellwords.escape(params[:file])} output.png")
XSS Vulnerabilities
Detection: raw, html_safe on user input, innerHTML
Remediation:
# Before <%= raw user_input %> # After <%= sanitize user_input %>
// Before element.innerHTML = userInput; // After element.textContent = userInput;
Insecure Configuration
Detection: Debug mode, permissive CORS, missing CSRF
Remediation:
Debug mode:
# Before debug: true # After debug: false # or use environment variable
CORS wildcard:
# Before
config.allowed_origins = '*'
# After
config.allowed_origins = ENV.fetch('ALLOWED_ORIGINS', 'https://myapp.com').split(',')
Weak Cryptography
Detection: MD5, SHA1 for passwords, weak random
Remediation:
# Before Digest::MD5.hexdigest(password) # After BCrypt::Password.create(password)
// Before Math.random().toString(36) // After crypto.randomUUID()
Step 5: Update .gitignore
Consolidate all patterns that should be ignored:
# Check current .gitignore cat .gitignore # Add missing patterns echo " # Security - added by repo-security-clean .env .env.* *.pem *.key *.p12 config/master.key " >> .gitignore
Step 6: Create Commit
Stage all changes and create a security fix commit:
git add -A git commit -m "security: remediate issues from security scan Fixed: - [H1] Moved API key to environment variable - [H2] Removed private key from tracking - [M1] Fixed SQL injection in User model - [M2] Disabled debug mode in production Run 'git log --oneline -1' to see this commit. ⚠️ Action required: - Rotate exposed credentials - Review git history for sensitive data "
Do NOT auto-commit - present the changes and ask:
Ready to commit these security fixes? Changes: M .gitignore M config/services.rb M app/models/user.rb D certs/server.key (untracked, file preserved) Options: - Commit now - Review changes first (git diff) - Cancel
Step 7: Post-Remediation Report
Update the scan report or create a new one:
# Security Clean Report
**Repository:** <repo-name>
**Date:** YYYY-MM-DD
**Action:** Automated remediation
## Actions Taken
### [H1] Hardcoded API Key - FIXED
- **File:** config/services.rb:42
- **Action:** Replaced with `ENV.fetch('API_KEY')`
- **Follow-up required:** Rotate the exposed key
### [H2] Private Key Tracked - FIXED
- **File:** certs/server.key
- **Action:** Added to .gitignore, removed from tracking
- **Follow-up required:** Consider removing from git history
## Manual Actions Required
1. **Rotate credentials:**
- [ ] API key (was exposed in config/services.rb)
- [ ] Any other secrets visible in git history
2. **Clean git history (optional but recommended):**
```bash
# Install BFG Repo-Cleaner
brew install bfg
# Remove sensitive files from history
bfg --delete-files server.key
git reflog expire --expire=now --all
git gc --prune=now --aggressive
git push --force
- •Enable secret scanning:
- •GitHub: Settings → Security → Secret scanning
- •Add pre-commit hooks for local detection
Summary
| Priority | Found | Fixed | Manual |
|---|---|---|---|
| High | 2 | 2 | 0 |
| Medium | 2 | 2 | 0 |
| Low | 5 | 0 | 5 |
### Step 8: Final Summary
✓ Security clean complete
Fixed: 4 issues [H1] Hardcoded API key → environment variable [H2] Private key → untracked [M1] SQL injection → parameterised query [M2] Debug mode → disabled
Commit ready: Run 'git push' when ready
⚠️ Manual actions required: 1. Rotate the exposed API key 2. Consider cleaning git history 3. Review low-priority items in report
Report: security/YYYYMMDD-clean.md
## Safety Guardrails 1. **Always ask before:** - Modifying git history - Deleting files - Making commits 2. **Never automatically:** - Force push - Delete untracked files - Modify files outside the repo 3. **Preserve originals:** - Untrack sensitive files, don't delete them - User may need the actual credentials/keys 4. **Warn about:** - Exposed secrets in git history - Credentials that need rotation - Breaking changes (e.g., code now requires env vars) ## Limitations - Cannot fix all vulnerability types automatically - Some fixes may require manual review (complex SQL, business logic) - Git history cleaning requires manual steps - Does not rotate credentials (user must do this)