Use when adding new error messages to React, or seeing "unknown error code" warnings.
safe-commit
0
0
# Install this skill:
npx skills add kotsmiltos/mk-cc-resources --skill "safe-commit"
Install specific skill from multi-skill repository
# Description
Commit safety layer — secret scanning, identity verification, and commit hygiene enforcement. Blocks commits containing secrets, sensitive files, hardcoded paths, or merge conflict markers. Use when making any git commit.
# SKILL.md
name: safe-commit
description: Commit safety layer — secret scanning, identity verification, and commit hygiene enforcement. Blocks commits containing secrets, sensitive files, hardcoded paths, or merge conflict markers. Use when making any git commit.
Enforce commit safety before every git commit. Verify the committer's identity, scan staged changes for secrets and sensitive files, and enforce commit hygiene rules. Block unsafe commits with clear explanations; proceed cleanly when safe.
When triggered (by /safe-commit or any commit workflow):
1. Show the resolved git author (git config user.name + git config user.email)
2. Run scripts/scan-secrets.sh against staged changes
3. If findings exist: BLOCK the commit, show each finding with file, line, redacted match, and fix suggestion
4. If clean: proceed with the commit
5. NEVER push to remote. NEVER add Co-Authored-By trailers.
- ALWAYS show the resolved git author before committing — the user MUST see exactly who is committing
- NEVER modify git config — read-only access to identity information
- The user's includeIf rules handle identity switching automatically
- NEVER add a Co-Authored-By trailer to commits
- NEVER push to a remote — commits only; pushing is a separate, user-initiated action
- Suggest clear, descriptive commit messages — if the user provides one, use it as-is
- Prefer staging specific files over git add -A or git add . to avoid accidentally including sensitive files
Checks run in this order. BLOCK-level findings abort the commit.
Sensitive file types staged for commit: .env, .env.*, .pem, .key, .p12, .pfx, .jks, .keystore, credentials.json, credentials.yaml, id_rsa, id_ed25519, id_ecdsa, .htpasswd, token.json
Action: add to .gitignore, use environment variables or a secrets manager instead.
Secret patterns in staged content (33 regex patterns): AWS keys, GitHub/GitLab tokens, Slack tokens, Stripe keys, Google API keys, private key headers, database URLs with credentials, generic API key/secret assignments, Bearer tokens, service-specific tokens (Heroku, SendGrid, Twilio, Mailgun, NPM).
See references/secret-patterns.md for the full pattern catalog with false-positive risk ratings.
Hardcoded local paths: /home/user/..., /Users/user/..., C:\Users\user\... — these leak personal setup details and break portability.
Merge conflict markers in staged files (7+ consecutive <, =, or > characters).
Committing directly to main or master — warn the user but do not block.
Empty or single-word commit messages — warn and suggest improvement.
- If scan-secrets.sh exits with code 2: not in a git repo or git unavailable — surface this error clearly to the user
- If the script is not executable or not found: fall back to manual pattern inspection of git diff --staged output against the patterns in references/secret-patterns.md
- If the scan finds issues, show each finding with: pattern name, file:line location, redacted match preview, and suggested fix
Known false positives can be suppressed with a .safe-commit-allow file in the repo root.
Format (one entry per line):
- path/to/file.py — suppress ALL findings in that file (substring match)
- Pattern Name:path/to/file.py — suppress a specific pattern in a specific file
- Lines starting with # are comments
- The allowlist itself should be committed to the repo (it's not sensitive)
See references/commit-checks.md for full allowlist documentation.
| Script | Purpose | Usage |
|---|---|---|
| scripts/scan-secrets.sh | Deterministic secret scanner for staged git changes | bash scripts/scan-secrets.sh — exit 0=clean, 1=findings, 2=error |
| Reference | Purpose |
|---|---|
| references/commit-checks.md | Check tiers (BLOCK/WARN), allowlist format, gitleaks upgrade guide |
| references/secret-patterns.md | Full pattern catalog with regex, examples, and false-positive risk ratings |
Be transparent about what this scanner cannot catch:
- Base64-encoded secrets (without external tools like gitleaks)
- Secrets split across multiple lines or variables
- Secrets in binary files or LFS-tracked content
- Secrets in submodule content
- High-entropy strings that don't match a known pattern format
For maximum coverage, see the gitleaks upgrade guide in references/commit-checks.md.
- Git author identity shown to the user before committing
- scan-secrets.sh ran against staged changes (or manual inspection if script unavailable)
- All BLOCK-level findings surfaced with file, line, match preview, and fix suggestion — commit aborted
- All WARN-level conditions surfaced as warnings
- If clean: commit created with a clear, descriptive message
- No Co-Authored-By trailer added
- No push to remote attempted
- No git config modified
# Related Skills
Use when feature flag tests fail, flags need updating, understanding @gate pragmas, debugging...
Use when you have lint errors, formatting issues, or before committing code to ensure it passes CI.
Use when you need to check feature flag states, compare channels, or debug why a feature behaves...
# Supported AI Coding Agents
This skill is compatible with the SKILL.md standard and works with all major AI coding agents:
Amp
Antigravity
Claude Code
Clawdbot
Codex
Cursor
Droid
Gemini CLI
GitHub Copilot
Goose
Kilo Code
Kiro CLI
OpenCode
Roo Code
Trae
Windsurf
Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.