Agent-Skills.md

Agent Skills: Git Safety Skill

Scan git history for sensitive files, clean leaked credentials, and set up prevention measures. Use when asked to "check for secrets", "scan git history", "remove .env from history", "secure my repo", or "clean sensitive files".

UncategorizedID: shipshitdev/library/git-safety

Repository

shipshitdev/library
shipshitdev
151

Install this agent skill to your local

pnpm dlx add-skill https://github.com/shipshitdev/library/tree/HEAD/bundles/github/skills/git-safety

Skill Files

Browse the full folder contents for git-safety.

Download Skill

Loading file tree…

bundles/github/skills/git-safety/SKILL.md

Skill Metadata

Name
git-safety
Description
>-

Git Safety Skill

Comprehensive security scanning, cleaning, and prevention for git repositories.

Contract

Inputs:

  • Repository root
  • Mode: scan, prevent, clean, or full
  • Optional leaked path, secret pattern, or affected ref range

Outputs:

  • Sensitive file/history findings
  • Rotation and remediation checklist
  • Commands required for prevention or history cleanup

Creates/Modifies:

  • Scan mode: no file changes
  • Prevent mode: .gitignore and optional hook updates
  • Clean mode: rewritten git history only after explicit confirmation

External Side Effects:

  • May force-push rewritten history in clean mode
  • May require credential rotation outside the repository

Confirmation Required:

  • Before history rewriting
  • Before force-pushing
  • Before changing hooks or ignore rules in shared repos

Delegates To:

  • security-audit for broader application-security review
  • open-source-checker before publishing a private repo

CRITICAL WARNING

Removing secrets from git history does NOT make them safe!

Even after cleaning git history:

  • GitHub is scraped by bots within seconds of a push
  • Archive services may have captured snapshots
  • Forks retain the original history
  • CI/CD logs may contain the values

ALWAYS rotate leaked credentials immediately. Cleaning history is NOT enough.

Modes of Operation

1. /git-safety scan - Detect Sensitive Files

Scan repository for sensitive files in current state and git history.

2. /git-safety clean - Remove from History

Remove sensitive files using git-filter-repo or BFG.

3. /git-safety prevent - Set Up Prevention

Configure .gitignore and pre-commit hooks.

4. /git-safety full - Complete Audit

Run all three operations in sequence.

Sensitive File Patterns

.env, .env.*, credentials.json, service-account*.json
*.pem, *.key, id_rsa*, secrets.*, .npmrc, *.secret

Quick Commands

Scan for sensitive files in history:

git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'

Remove .env from all history:

git filter-repo --path .env --invert-paths --force
git push origin --force --all

Add to .gitignore:

echo -e "\n.env\n.env.*\n*.pem\n*.key\ncredentials.json" >> .gitignore

Emergency Response

If you've leaked credentials:

  1. IMMEDIATELY rotate the credential
  2. Check access logs
  3. Run /git-safety clean
  4. Force push cleaned history
  5. Notify team to re-clone
  6. Update .gitignore
  7. Set up pre-commit hooks

For complete scan commands, cleaning process with git-filter-repo/BFG, pre-commit hook setup, .gitignore templates, platform-specific guidance, and detailed emergency checklist, see: references/full-guide.md