login
shipshitdev

git-safety

by @shipshitdev in Development
4
0
# Install this skill:
npx skills add shipshitdev/library --skill "git-safety"

Install specific skill from multi-skill repository

# Description

Scan git history for sensitive files, clean leaked credentials, and set up prevention measures. Use when asked to "check for secrets", "scan git history", "remove .env from history", "secure my repo", or "clean sensitive files".

# SKILL.md

name: git-safety
description: Scan git history for sensitive files, clean leaked credentials, and set up prevention measures. Use when asked to "check for secrets", "scan git history", "remove .env from history", "secure my repo", or "clean sensitive files".

Git Safety Skill

Comprehensive security scanning, cleaning, and prevention for git repositories.

CRITICAL WARNING

Removing secrets from git history does NOT make them safe!

Even after cleaning git history:

  • GitHub is scraped by bots within seconds of a push
  • Archive services may have captured snapshots
  • Forks retain the original history
  • CI/CD logs may contain the values

ALWAYS rotate leaked credentials immediately. Cleaning history is NOT enough.

Modes of Operation

1. /git-safety scan - Detect Sensitive Files

Scan repository for sensitive files in current state and git history.

2. /git-safety clean - Remove from History

Remove sensitive files using git-filter-repo or BFG.

3. /git-safety prevent - Set Up Prevention

Configure .gitignore and pre-commit hooks.

4. /git-safety full - Complete Audit

Run all three operations in sequence.

Sensitive File Patterns

.env, .env.*, credentials.json, service-account*.json
*.pem, *.key, id_rsa*, secrets.*, .npmrc, *.secret

Quick Commands

Scan for sensitive files in history:

git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'

Remove .env from all history:

git filter-repo --path .env --invert-paths --force
git push origin --force --all

Add to .gitignore:

echo -e "\n.env\n.env.*\n*.pem\n*.key\ncredentials.json" >> .gitignore

Emergency Response

If you've leaked credentials:

  1. IMMEDIATELY rotate the credential
  2. Check access logs
  3. Run /git-safety clean
  4. Force push cleaned history
  5. Notify team to re-clone
  6. Update .gitignore
  7. Set up pre-commit hooks

For complete scan commands, cleaning process with git-filter-repo/BFG, pre-commit hook setup, .gitignore templates, platform-specific guidance, and detailed emergency checklist, see: references/full-guide.md

# Related Skills

facebook
feature-flags @facebook

Use when feature flag tests fail, flags need updating, understanding @gate pragmas, debugging...

β˜… 242,571
facebook
fix @facebook

Use when you have lint errors, formatting issues, or before committing code to ensure it passes CI.

β˜… 242,571
facebook
flags @facebook

Use when you need to check feature flag states, compare channels, or debug why a feature behaves...

β˜… 242,571

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

⚑ Amp πŸš€ Antigravity πŸ€– Claude Code πŸ¦€ Clawdbot πŸ“ Codex ▢️ Cursor πŸ€– Droid πŸ’Ž Gemini CLI πŸ™ GitHub Copilot πŸͺΏ Goose πŸ“Š Kilo Code πŸ”§ Kiro CLI πŸ’» OpenCode 🦘 Roo Code 🌲 Trae πŸ„ Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.