Git Security Scanner
by celstnblacc
Unified security scanner that catches leaked secrets, credentials, and code vulnerabilities before they reach your remote. Wraps gitleaks (400+ secret patterns) and shipguard (48+ SAST rules) into a single tool with pre-commit hooks, on-demand scans, and full git history audits.
安装
claude skill add --url github.com/openclaw/skills/tree/main/skills/celstnblacc/git-security-scanner文档
Git Security Scanner
Scan your git repositories for leaked secrets, credentials, and security vulnerabilities in one command. Combines gitleaks (pattern-based secret detection) and shipguard (48+ SAST rules across 7 security layers) into a unified scanner with merged reporting.
What You Get
Two Scanning Engines
| Engine | What it does | Rules |
|---|---|---|
| gitleaks | Pattern-based secret detection across files and git history | 400+ built-in rules, custom .gitleaks.toml support |
| shipguard | Static analysis for secrets, shell injection, code injection, supply chain, config issues | 48+ rules: SEC-001–015, SHELL-001–009, PY-001–012, JS-001–008, GHA-001–005, CFG-001–003, SC-001–006 |
Scanning Modes
| Mode | Command | What it checks |
|---|---|---|
| Quick scan | git-security-scan | Current working tree |
| Staged only | git-security-scan --staged-only | Only staged files — for pre-commit hooks |
| Full history | git-security-scan --full-history | Entire git history — finds secrets in old commits |
| Custom severity | git-security-scan --severity critical | Filter by minimum severity level |
What It Catches
Secrets (gitleaks + shipguard SEC rules):
- API keys (AWS, GCP, Azure, OpenAI, Anthropic, Stripe, GitHub, Slack, etc.)
- Database connection strings with embedded passwords
- SSH private keys and PEM files
- JWT tokens and session secrets
- Hardcoded passwords in config files
.envfiles accidentally staged- Credentials in comments or docstrings
Code vulnerabilities (shipguard SAST rules):
- Shell command injection (
SHELL-001–009) - Python code injection:
eval(),exec(), unsafe pickle, SQL injection (PY-001–012) - JavaScript injection:
innerHTML,eval(), prototype pollution (JS-001–008) - GitHub Actions injection: script injection, unpinned actions (
GHA-001–005) - Config issues: debug mode in production, permissive CORS, exposed admin routes (
CFG-001–003) - Supply chain: unpinned dependencies, missing lockfiles, unsigned artifacts (
SC-001–006)
Output Formats
| Format | Flag | Use case |
|---|---|---|
| Terminal (default) | --format terminal | Color-coded findings with severity icons |
| Markdown | --format markdown | PR comments, documentation, reports |
| JSON | --format json | CI/CD integration, programmatic analysis |
| SARIF | --format sarif | GitHub Security tab integration |
Installation
Prerequisites
# macOS
brew install gitleaks
pipx install shipguard # or: pip install shipguard
# Linux
# gitleaks: download from https://github.com/gitleaks/gitleaks/releases
# shipguard:
pipx install shipguard
Install the Skill
clawhub install git-security-scanner
This adds the git-security-scan wrapper script and the skill definition.
Set Up Pre-Commit Hook
git-security-scan --install-hooks
This installs a pre-commit hook in the current repo that runs git-security-scan --staged-only --severity high on every commit. Commits with critical or high severity findings are blocked.
Usage
CLI
# Scan current directory
git-security-scan
# Scan a specific project
git-security-scan /path/to/project
# Pre-commit mode (staged files only, block on high+)
git-security-scan --staged-only --severity high
# Full git history audit
git-security-scan --full-history
# Generate a markdown report
git-security-scan --format markdown --output report.md
# JSON for CI pipelines
git-security-scan --format json --output .security-reports/scan.json
# Skip one engine
git-security-scan --skip-gitleaks # shipguard only
git-security-scan --skip-shipguard # gitleaks only
AI Assistant Prompts
Quick scan:
"Scan this repo for leaked secrets and security vulnerabilities"
Pre-commit setup:
"Set up pre-commit hooks to block secrets before they're committed"
Full history audit:
"Audit the entire git history for any credentials that were ever committed"
Custom rules:
"Add a gitleaks rule to catch hardcoded Proxmox API tokens"
Targeted scan:
"Run shipguard on just the Python files with severity high or above"
Configuration
gitleaks (.gitleaks.toml)
Create in your repo root to add custom secret patterns:
[extend]
useDefault = true
[[rules]]
id = "proxmox-api-token"
description = "Proxmox API Token"
regex = '''PVEAPIToken=[A-Za-z0-9@!]+:[A-Za-z0-9-]+'''
shipguard (.shipguard.yml)
Create in your repo root to configure SAST rules:
severity_threshold: medium
exclude_paths:
- tests/fixtures/
- node_modules/
- "*.min.js"
disable_rules:
- JS-008 # skip specific rule
Pre-commit config (.shipguard-precommit.yml)
Stricter settings for the pre-commit hook:
severity_threshold: high
exclude_paths:
- tests/
- docs/
Report Example
Terminal output:
============================================================
Git Security Scan Report
============================================================
Directory: /home/user/my-project
Timestamp: 2026-03-19T10:30:00Z
Tools: gitleaks (2 findings)
shipguard (3 findings)
Findings: 5 critical: 1 high: 1 medium: 3
🔴 [CRITICAL] aws-access-key-id (gitleaks)
config/settings.py:42
AWS access key ID detected
> AKIAIOSFODNN7EXAMPLE
Fix: Rotate this credential immediately. Remove from git history.
🟠 [HIGH] SEC-003 (shipguard)
src/api.py:18
Hardcoded database password in connection string
> db_url = "postgres://admin:p4ssw0rd@localhost/app"
Fix: Use environment variables instead of hardcoded credentials.
🟡 [MEDIUM] PY-003 (shipguard)
src/utils.py:55
Use of eval() with user-controlled input
> result = eval(user_expression)
Fix: Use ast.literal_eval() or a safe expression parser.
Remediation Workflow
When critical/high findings are detected:
- Rotate the credential — Assume it's compromised if it was ever in git history
- Remove from history —
git filter-repo --invert-paths --path <file>or BFG Repo Cleaner - Add to
.gitignore— Prevent re-staging of secret files - Use environment variables — Move secrets to
.env(excluded from git) or a secret manager - Re-scan — Run
git-security-scan --full-historyto confirm the fix
Troubleshooting
| Problem | Fix |
|---|---|
| VirusTotal "suspicious" warning on install | This is a false positive — the skill describes secret patterns and vulnerability types, which triggers pattern detection. Use clawhub install git-security-scanner --force to proceed. Review the SKILL.md yourself to confirm. |
gitleaks not found | brew install gitleaks (macOS) or download from gitleaks releases |
shipguard not found | pipx install shipguard or pip install shipguard |
| No findings but secrets exist | Check if .gitleaks.toml or .shipguard.yml is excluding the path. Try --severity low to see all findings. |
| Scan is slow | --full-history scans every commit. Use default mode (working tree only) for quick checks. |
Links
- gitleaks: https://github.com/gitleaks/gitleaks
- shipguard: https://github.com/celstnblacc (part of ai_spec_sec)
- License: MIT-0 (this skill) / Apache 2.0 (source tools)
Built by celstnblacc — gitleaks 8.30.0 + shipguard 0.3.2 (48+ SAST rules, 4 output formats).
相关 Skills
安全专家
by alirezarezvani
覆盖威胁建模、漏洞评估、安全架构设计、代码审计与渗透测试,内置 STRIDE、OWASP、加密模式和安全扫描流程,适合系统设计评审与上线前安全排查。
✎ 安全专家把威胁建模、漏洞分析到渗透测试串成一套流程,内置 STRIDE 与 OWASP 指南,做安全设计和排查更省心。
安全运营
by alirezarezvani
覆盖应用安全、漏洞管理与合规审计,支持代码/依赖扫描、CVE 评估、Secrets 检测和安全自动化,适合做安全基线落地、漏洞响应、审计检查与安全开发治理。
✎ 应用安全、漏洞管理和合规检查一套打通,还能自动化扫描与响应,帮团队更早发现并收敛风险。
安全审计
by alirezarezvani
安装前审计 Claude Code Skill 的代码执行、Prompt 注入和依赖供应链风险,支持本地目录或 Git 仓库扫描,输出 PASS/WARN/FAIL 结论及修复建议
✎ 把代码审查、漏洞扫描和合规检查串成一条线,帮团队更早发现风险,做安全治理更省心。
相关 MCP 服务
by Sentry
搜索和分析 Sentry 错误报告,辅助调试。
✎ 把零散的 Sentry 错误报告变成可检索线索,帮你在海量报错里更快定位线上故障,排障调试明显省时。
by sinewaveai
为 AI agents 提供安全层:拦截 prompt injection、识别伪造 packages,并扫描漏洞风险。
✎ 给 AI Agent 补上关键安全层,能拦截 prompt 注入、识别伪造包并扫描漏洞风险,把防护前置更省心。
by pantheon-security
强化安全性的 NotebookLM MCP,集成 post-quantum encryption,提升数据防护能力。