Open Source Checker Expert in detecting private information, secrets, and sensitive data in codebases before open sourcing a repository. When to Use This Skill Use when you're: - Preparing to open source a repository - Reviewing code for exposed secrets - Auditing codebase for sensitive data - Performing security audits before public release - Setting up pre-commit hooks for secret detection What to Check Critical Items - API keys (OpenAI, Stripe, AWS, GitHub tokens) - Database credentials and connection strings - Private keys and certificates ( , ) - Personal information (emails, phone numbe…

); do\n echo \"=== $file ===\"\n git log --all --full-history -1 --format=\"%H\" -- \"$file\" | xargs -I {} git show {}^:\"$file\" 2>/dev/null || echo \"Could not retrieve\"\ndone\n```\n\n### 4.4 Checking Merge Commits\n\nMerge commits can contain secrets that weren't in either branch:\n\n```bash\n# List all merge commits\ngit log --all --merges --oneline\n\n# Check a specific merge for changes\ngit show --stat \u003cmerge-commit-hash>\n\n# Diff merge against its parents\ngit diff \u003cmerge-commit>^1..\u003cmerge-commit>\ngit diff \u003cmerge-commit>^2..\u003cmerge-commit>\n```\n\n### 4.5 Checking Stashes\n\nStashes are often forgotten and may contain secrets:\n\n```bash\n# List all stashes\ngit stash list\n\n# Show stash content\ngit stash show -p stash@{0}\n\n# Check all stashes for sensitive patterns\nfor i in $(seq 0 $(git stash list | wc -l)); do\n echo \"=== Stash $i ===\"\n git stash show -p stash@{$i} 2>/dev/null | grep -iE \"(api.?key|password|secret|token)\" || true\ndone\n```\n\n### 4.6 Checking All Branches\n\n```bash\n# List all branches (local and remote)\ngit branch -a\n\n# Scan each branch for sensitive files\nfor branch in $(git branch -a | sed 's/^[\\* ]*//' | grep -v HEAD); do\n echo \"=== Branch: $branch ===\"\n git ls-tree -r --name-only \"$branch\" 2>/dev/null | grep -iE '\\.(env|pem|key)

Open Source Checker Expert in detecting private information, secrets, and sensitive data in codebases before open sourcing a repository. When to Use This Skill Use when you're: - Preparing to open source a repository - Reviewing code for exposed secrets - Auditing codebase for sensitive data - Performing security audits before public release - Setting up pre-commit hooks for secret detection What to Check Critical Items - API keys (OpenAI, Stripe, AWS, GitHub tokens) - Database credentials and connection strings - Private keys and certificates ( , ) - Personal information (emails, phone numbe…

|| true\ndone\n```\n\n### 4.7 Checking Tags\n\n```bash\n# List all tags\ngit tag -l\n\n# Check files in each tag\nfor tag in $(git tag -l); do\n echo \"=== Tag: $tag ===\"\n git ls-tree -r --name-only \"$tag\" 2>/dev/null | grep -iE '\\.(env|pem|key)

Open Source Checker Expert in detecting private information, secrets, and sensitive data in codebases before open sourcing a repository. When to Use This Skill Use when you're: - Preparing to open source a repository - Reviewing code for exposed secrets - Auditing codebase for sensitive data - Performing security audits before public release - Setting up pre-commit hooks for secret detection What to Check Critical Items - API keys (OpenAI, Stripe, AWS, GitHub tokens) - Database credentials and connection strings - Private keys and certificates ( , ) - Personal information (emails, phone numbe…

|| true\ndone\n```\n\n---\n\n## 5. Cleaning Git History\n\n**WARNING**: Before cleaning history:\n\n1. **Rotate all leaked credentials immediately** - cleaning history does NOT make secrets safe\n2. Create a backup of the repository\n3. Notify all collaborators\n4. Understand that this rewrites history and requires force push\n\n### 5.1 Using git-filter-repo (Recommended)\n\n**Installation**\n\n```bash\n# pip\npip install git-filter-repo\n\n# Homebrew\nbrew install git-filter-repo\n\n# Verify installation\ngit filter-repo --version\n```\n\n**Remove specific files**\n\n```bash\n# Create backup first\ngit clone --mirror . ../repo-backup-$(date +%Y%m%d)\n\n# Remove a single file\ngit filter-repo --path .env --invert-paths\n\n# Remove multiple files\ngit filter-repo --path .env --path .env.local --path credentials.json --invert-paths\n\n# Remove by pattern (glob)\ngit filter-repo --path-glob '*.env' --invert-paths\ngit filter-repo --path-glob '*.pem' --invert-paths\n\n# Remove by regex\ngit filter-repo --path-regex '.*\\.env(\\..*)?' --invert-paths\n```\n\n**Remove content by pattern**\n\n```bash\n# Replace text in all files (useful for removing specific secrets)\ngit filter-repo --replace-text expressions.txt\n\n# Where expressions.txt contains:\n# literal:sk-ant-api123abc==>[REDACTED]\n# regex:AKIA[0-9A-Z]{16}==>[REDACTED_AWS_KEY]\n```\n\n**Remove entire directories**\n\n```bash\ngit filter-repo --path secrets/ --invert-paths\ngit filter-repo --path config/credentials/ --invert-paths\n```\n\n### 5.2 Using BFG Repo-Cleaner\n\n**Installation**\n\n```bash\n# Homebrew\nbrew install bfg\n\n# Or download JAR\ncurl -L -o bfg.jar https://repo1.maven.org/maven2/com/madgag/bfg/1.14.0/bfg-1.14.0.jar\n```\n\n**Remove files by name**\n\n```bash\n# Clone a fresh mirror\ngit clone --mirror [email protected]:org/repo.git\n\ncd repo.git\n\n# Remove files by name\nbfg --delete-files .env\nbfg --delete-files \"*.pem\"\nbfg --delete-files credentials.json\n\n# Clean up\ngit reflog expire --expire=now --all\ngit gc --prune=now --aggressive\n```\n\n**Remove content by pattern**\n\n```bash\n# Create a file with patterns to remove\necho \"sk-ant-api123abc\" > passwords.txt\necho \"AKIAIOSFODNN7EXAMPLE\" >> passwords.txt\n\n# Replace matching content\nbfg --replace-text passwords.txt\n\n# Clean up\ngit reflog expire --expire=now --all\ngit gc --prune=now --aggressive\n```\n\n**Remove files by size**\n\n```bash\n# Remove files larger than 100M\nbfg --strip-blobs-bigger-than 100M\n```\n\n### 5.3 Fresh Repository Approach\n\nWhen history is too compromised, start fresh:\n\n```bash\n# Create new repo with clean history\nmkdir new-repo\ncd new-repo\ngit init\n\n# Copy current files (excluding secrets)\nrsync -av --exclude='.git' --exclude='.env*' --exclude='*.pem' --exclude='*.key' ../old-repo/ .\n\n# Create initial commit\ngit add .\ngit commit -m \"Initial commit (clean history)\"\n\n# Push to new remote (or rename old one)\ngit remote add origin [email protected]:org/new-repo.git\ngit push -u origin main\n```\n\n### 5.4 Force Push After Cleaning\n\n```bash\n# After cleaning with git-filter-repo or BFG\ngit reflog expire --expire=now --all\ngit gc --prune=now --aggressive\n\n# Force push ALL branches\ngit push origin --force --all\n\n# Force push ALL tags\ngit push origin --force --tags\n```\n\n### 5.5 Notify Collaborators\n\nAll collaborators must re-clone or rebase:\n\n```bash\n# Option 1: Re-clone (safest)\nrm -rf local-repo\ngit clone [email protected]:org/repo.git\n\n# Option 2: Fetch and reset (advanced)\ngit fetch origin\ngit reset --hard origin/main\ngit clean -fd\n```\n\n### 5.6 Verify Cleanup\n\n```bash\n# Verify file is gone from all history\ngit log --all --full-history -- .env\n# Should return empty\n\n# Verify content pattern is gone\ngit log -p --all -S 'your-secret-value' --source\n# Should return empty\n\n# Run gitleaks again\ngitleaks detect --source . --verbose\n```\n\n---\n\n## 6. Git Hooks and Pre-Commit Hooks\n\n### 6.1 git-secrets\n\n**Installation and setup**\n\n```bash\n# Install\nbrew install git-secrets\n\n# Install hooks in repository\ngit secrets --install\n\n# Register AWS patterns\ngit secrets --register-aws\n\n# Add custom patterns\ngit secrets --add 'sk-ant-[a-zA-Z0-9\\-_]{40,}'\ngit secrets --add 'sk-[a-zA-Z0-9]{48}'\ngit secrets --add 'ghp_[A-Za-z0-9_]{36,}'\ngit secrets --add 'ANTHROPIC_API_KEY.*=.*sk-ant-'\ngit secrets --add 'OPENAI_API_KEY.*=.*sk-'\n\n# Add allowed patterns (false positives)\ngit secrets --add --allowed 'sk-ant-example-key-not-real'\n```\n\n**Configuration file** (`.git/config` or global):\n\n```gitconfig\n[secrets]\n providers = git secrets --aws-provider\n patterns = sk-ant-[a-zA-Z0-9\\\\-_]{40,}\n patterns = sk-[a-zA-Z0-9]{48}\n patterns = ghp_[A-Za-z0-9_]{36,}\n allowed = example-api-key\n```\n\n### 6.2 gitleaks Pre-Commit Hook\n\n**Using pre-commit framework**\n\n```yaml\n# .pre-commit-config.yaml\nrepos:\n - repo: https://github.com/gitleaks/gitleaks\n rev: v8.18.1\n hooks:\n - id: gitleaks\n```\n\n```bash\n# Install pre-commit\npip install pre-commit\n\n# Install hooks\npre-commit install\n```\n\n**Custom gitleaks configuration**\n\n```toml\n# .gitleaks.toml\ntitle = \"Gitleaks Custom Config\"\n\n[allowlist]\ndescription = \"Global allowlist\"\npaths = [\n '''\\.env\\.example

Open Source Checker Expert in detecting private information, secrets, and sensitive data in codebases before open sourcing a repository. When to Use This Skill Use when you're: - Preparing to open source a repository - Reviewing code for exposed secrets - Auditing codebase for sensitive data - Performing security audits before public release - Setting up pre-commit hooks for secret detection What to Check Critical Items - API keys (OpenAI, Stripe, AWS, GitHub tokens) - Database credentials and connection strings - Private keys and certificates ( , ) - Personal information (emails, phone numbe…

'',\n '''\\.env\\.template

Open Source Checker Expert in detecting private information, secrets, and sensitive data in codebases before open sourcing a repository. When to Use This Skill Use when you're: - Preparing to open source a repository - Reviewing code for exposed secrets - Auditing codebase for sensitive data - Performing security audits before public release - Setting up pre-commit hooks for secret detection What to Check Critical Items - API keys (OpenAI, Stripe, AWS, GitHub tokens) - Database credentials and connection strings - Private keys and certificates ( , ) - Personal information (emails, phone numbe…

'',\n]\n\n[[rules]]\nid = \"anthropic-api-key\"\ndescription = \"Anthropic API Key\"\nregex = '''sk-ant-[a-zA-Z0-9\\-_]{40,}'''\ntags = [\"key\", \"anthropic\"]\n\n[[rules]]\nid = \"openai-api-key\"\ndescription = \"OpenAI API Key\"\nregex = '''sk-[a-zA-Z0-9]{48}'''\ntags = [\"key\", \"openai\"]\n\n[[rules]]\nid = \"generic-api-key\"\ndescription = \"Generic API Key\"\nregex = '''(?i)(api[_-]?key|apikey)['\":\\s]*[=:]\\s*['\"][a-zA-Z0-9]{16,}['\"]'''\ntags = [\"key\", \"generic\"]\n\n[[rules]]\nid = \"generic-password\"\ndescription = \"Generic Password\"\nregex = '''(?i)(password|passwd|pwd)['\":\\s]*[=:]\\s*['\"][^'\"]{4,}['\"]'''\ntags = [\"password\"]\n```\n\n### 6.3 detect-secrets\n\n**Installation and baseline**\n\n```bash\n# Install\npip install detect-secrets\n\n# Generate baseline\ndetect-secrets scan > .secrets.baseline\n\n# Audit baseline (mark false positives)\ndetect-secrets audit .secrets.baseline\n\n# Update baseline after adding new secrets\ndetect-secrets scan --baseline .secrets.baseline\n```\n\n**Pre-commit hook**\n\n```yaml\n# .pre-commit-config.yaml\nrepos:\n - repo: https://github.com/Yelp/detect-secrets\n rev: v1.4.0\n hooks:\n - id: detect-secrets\n args: ['--baseline', '.secrets.baseline']\n```\n\n### 6.4 Husky (Node.js Projects)\n\n**Installation**\n\n```bash\n# Install husky\nnpm install --save-dev husky\n\n# Initialize husky\nnpx husky init\n```\n\n**Pre-commit hook for secrets**\n\n```bash\n# Create pre-commit hook\ncat > .husky/pre-commit \u003c\u003c 'EOF'\n#!/bin/sh\n. \"$(dirname \"$0\")/_/husky.sh\"\n\n# Check for secrets with gitleaks\nif command -v gitleaks &> /dev/null; then\n gitleaks protect --staged --verbose\n if [ $? -ne 0 ]; then\n echo \"Secrets detected! Commit blocked.\"\n exit 1\n fi\nfi\n\n# Check for forbidden files\nFORBIDDEN_PATTERNS=\".env .env.* *.pem *.key credentials.json secrets.*\"\nfor pattern in $FORBIDDEN_PATTERNS; do\n if git diff --cached --name-only | grep -E \"$pattern\"; then\n echo \"ERROR: Attempting to commit forbidden file: $pattern\"\n exit 1\n fi\ndone\n\nexit 0\nEOF\n\nchmod +x .husky/pre-commit\n```\n\n### 6.5 Custom Pre-Commit Hook Script\n\n```bash\n#!/bin/bash\n# .git/hooks/pre-commit\n\nRED='\\033[0;31m'\nYELLOW='\\033[1;33m'\nGREEN='\\033[0;32m'\nNC='\\033[0m'\n\necho \"Running secret detection...\"\n\n# Forbidden file patterns\nFORBIDDEN_FILES=(\n \".env\"\n \".env.*\"\n \"*.env\"\n \"credentials.json\"\n \"*-credentials.json\"\n \"service-account*.json\"\n \"secrets.yml\"\n \"secrets.json\"\n \"*.pem\"\n \"*.key\"\n \"*.p12\"\n \"*.pfx\"\n \"id_rsa\"\n \"id_rsa.*\"\n \"id_ed25519\"\n \"id_ecdsa\"\n \".npmrc\"\n \".pypirc\"\n)\n\n# Secret patterns to detect in content\nSECRET_PATTERNS=(\n \"-----BEGIN.*PRIVATE KEY-----\"\n \"api[_-]?key.*[=:].*['\\\"][a-zA-Z0-9]{16,}['\\\"]\"\n \"password.*[=:].*['\\\"][^'\\\"]{4,}['\\\"]\"\n \"secret.*[=:].*['\\\"][a-zA-Z0-9]{16,}['\\\"]\"\n \"sk-ant-[a-zA-Z0-9\\-_]{40,}\"\n \"sk-[a-zA-Z0-9]{48}\"\n \"AKIA[0-9A-Z]{16}\"\n \"ghp_[A-Za-z0-9_]{36,}\"\n \"xox[baprs]-[0-9]{10,}\"\n)\n\nERRORS=0\n\n# Check for forbidden files\nfor pattern in \"${FORBIDDEN_FILES[@]}\"; do\n files=$(git diff --cached --name-only | grep -E \"^$pattern$|/$pattern$\" || true)\n if [ -n \"$files\" ]; then\n echo -e \"${RED}ERROR: Forbidden file pattern '$pattern' detected:${NC}\"\n echo \"$files\"\n ERRORS=$((ERRORS + 1))\n fi\ndone\n\n# Check for secret patterns in staged content\nfor pattern in \"${SECRET_PATTERNS[@]}\"; do\n matches=$(git diff --cached -U0 | grep -E \"^\\+\" | grep -E \"$pattern\" || true)\n if [ -n \"$matches\" ]; then\n echo -e \"${YELLOW}WARNING: Possible secret detected (pattern: $pattern):${NC}\"\n echo \"$matches\" | head -3\n ERRORS=$((ERRORS + 1))\n fi\ndone\n\n# Run gitleaks if available\nif command -v gitleaks &> /dev/null; then\n gitleaks protect --staged --verbose --redact\n if [ $? -ne 0 ]; then\n ERRORS=$((ERRORS + 1))\n fi\nfi\n\nif [ $ERRORS -gt 0 ]; then\n echo \"\"\n echo -e \"${RED}===============================================${NC}\"\n echo -e \"${RED}COMMIT BLOCKED: $ERRORS potential secret(s) found${NC}\"\n echo -e \"${RED}===============================================${NC}\"\n echo \"\"\n echo \"If these are false positives, you can:\"\n echo \" 1. Add to .gitleaks.toml allowlist\"\n echo \" 2. Use: git commit --no-verify (NOT RECOMMENDED)\"\n echo \"\"\n exit 1\nfi\n\necho -e \"${GREEN}No secrets detected. Proceeding with commit.${NC}\"\nexit 0\n```\n\n```bash\n# Make executable\nchmod +x .git/hooks/pre-commit\n```\n\n---\n\n## 7. CI/CD Integration\n\n### 7.1 GitHub Actions\n\n```yaml\n# .github/workflows/secrets-scan.yml\nname: Secret Scanning\n\non:\n push:\n branches: [main, master, develop]\n pull_request:\n branches: [main, master]\n\njobs:\n gitleaks:\n name: Gitleaks Scan\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0\n\n - name: Run Gitleaks\n uses: gitleaks/gitleaks-action@v2\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # Optional for enterprise\n\n trufflehog:\n name: TruffleHog Scan\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n fetch-depth: 0\n\n - name: Run TruffleHog\n uses: trufflesecurity/trufflehog@main\n with:\n path: ./\n base: ${{ github.event.repository.default_branch }}\n head: HEAD\n extra_args: --only-verified\n\n detect-secrets:\n name: Detect Secrets\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n\n - name: Set up Python\n uses: actions/setup-python@v5\n with:\n python-version: '3.x'\n\n - name: Install detect-secrets\n run: pip install detect-secrets\n\n - name: Run detect-secrets\n run: |\n detect-secrets scan --baseline .secrets.baseline\n detect-secrets audit --report --baseline .secrets.baseline\n```\n\n### 7.2 GitLab CI\n\n```yaml\n# .gitlab-ci.yml\nstages:\n - security\n\ngitleaks:\n stage: security\n image: zricethezav/gitleaks:latest\n script:\n - gitleaks detect --source . --verbose --report-format json --report-path gitleaks-report.json\n artifacts:\n reports:\n secret_detection: gitleaks-report.json\n when: always\n rules:\n - if: '$CI_PIPELINE_SOURCE == \"merge_request_event\"'\n - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'\n\nsecret_detection:\n stage: security\n image: registry.gitlab.com/gitlab-org/security-products/analyzers/secrets:latest\n script:\n - /analyzer run\n artifacts:\n reports:\n secret_detection: gl-secret-detection-report.json\n```\n\n### 7.3 CircleCI\n\n```yaml\n# .circleci/config.yml\nversion: 2.1\n\norbs:\n gitleaks: upsidr/[email protected]\n\njobs:\n secret-scan:\n docker:\n - image: cimg/base:stable\n steps:\n - checkout\n - run:\n name: Install gitleaks\n command: |\n curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.18.1/gitleaks_8.18.1_linux_x64.tar.gz | tar xz\n sudo mv gitleaks /usr/local/bin/\n - run:\n name: Run gitleaks\n command: gitleaks detect --source . --verbose\n\nworkflows:\n security:\n jobs:\n - secret-scan\n```\n\n### 7.4 Jenkins\n\n```groovy\n// Jenkinsfile\npipeline {\n agent any\n\n stages {\n stage('Secret Scan') {\n steps {\n sh '''\n # Install gitleaks if not present\n if ! command -v gitleaks &> /dev/null; then\n curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.18.1/gitleaks_8.18.1_linux_x64.tar.gz | tar xz\n mv gitleaks /usr/local/bin/\n fi\n\n # Run scan\n gitleaks detect --source . --verbose --report-format json --report-path gitleaks-report.json\n '''\n }\n post {\n always {\n archiveArtifacts artifacts: 'gitleaks-report.json', allowEmptyArchive: true\n }\n }\n }\n }\n}\n```\n\n---\n\n## 8. Checklist\n\n### Pre-Open Source Checklist\n\n```markdown\n## File System Scan\n- [ ] No .env files tracked in repository\n- [ ] No credential files (*.pem, *.key, *.p12) tracked\n- [ ] No service account JSON files tracked\n- [ ] No .npmrc with auth tokens tracked\n- [ ] .gitignore includes all sensitive patterns\n\n## Code Scan\n- [ ] No hardcoded API keys in source files\n- [ ] No hardcoded passwords in source files\n- [ ] No hardcoded connection strings with credentials\n- [ ] No private keys embedded in code\n- [ ] No personal information (emails, names) in comments\n\n## Git History Scan\n- [ ] Ran gitleaks on full history\n- [ ] No sensitive files ever committed (including deleted)\n- [ ] No secrets in any branch or tag\n- [ ] Checked merge commits for leaks\n- [ ] Checked stashes for sensitive data\n\n## Configuration\n- [ ] .env.example exists with placeholder values\n- [ ] README documents required environment variables\n- [ ] No default credentials in config files\n- [ ] Database seeds use fake data\n\n## Prevention Setup\n- [ ] Pre-commit hooks installed (gitleaks or git-secrets)\n- [ ] .gitleaks.toml configured for project\n- [ ] CI/CD secret scanning enabled\n- [ ] Team trained on secret hygiene\n\n## Credential Rotation\n- [ ] All previously leaked credentials rotated\n- [ ] New credentials generated for open source version\n- [ ] Access logs reviewed for unauthorized usage\n```\n\n### Emergency Response Checklist\n\n```markdown\n## Immediate Actions (within minutes)\n- [ ] Rotate compromised credential immediately\n- [ ] Revoke access tokens\n- [ ] Change affected passwords\n- [ ] Disable exposed API keys\n\n## Investigation (within hours)\n- [ ] Check access logs for unauthorized usage\n- [ ] Identify scope of exposure (which commits, branches)\n- [ ] Determine if credential was scraped by bots\n- [ ] Check for unusual account activity\n\n## Remediation (within day)\n- [ ] Clean git history using git-filter-repo or BFG\n- [ ] Force push cleaned history\n- [ ] Notify all collaborators to re-clone\n- [ ] Update .gitignore to prevent recurrence\n- [ ] Set up pre-commit hooks\n\n## Documentation\n- [ ] Document incident timeline\n- [ ] Document affected systems\n- [ ] Document remediation steps taken\n- [ ] Update security procedures\n```\n\n---\n\n## 9. Output Format\n\n### Scan Report Template\n\n```markdown\n# Security Scan Report\n\n**Repository**: [repo-name]\n**Scan Date**: [YYYY-MM-DD HH:MM]\n**Scanned By**: [tool/person]\n\n## Summary\n\n| Category | Status | Count |\n|----------|--------|-------|\n| Sensitive Files (Current) | [PASS/FAIL] | [N] |\n| Sensitive Files (History) | [PASS/FAIL] | [N] |\n| Hardcoded Secrets | [PASS/FAIL] | [N] |\n| .gitignore Coverage | [PASS/FAIL] | [N] missing |\n\n## Findings\n\n### Critical (Immediate Action Required)\n\n| File/Location | Type | Details | Commit |\n|---------------|------|---------|--------|\n| .env | Environment File | Tracked in repo | abc1234 |\n| src/config.ts:42 | API Key | OpenAI key detected | def5678 |\n\n### Warning (Review Required)\n\n| File/Location | Type | Details | Commit |\n|---------------|------|---------|--------|\n| config/db.yml | Connection String | May contain password | - |\n\n### Info (False Positives / Reviewed)\n\n| File/Location | Type | Details | Status |\n|---------------|------|---------|--------|\n| .env.example | Example File | Contains placeholders | OK |\n\n## Recommendations\n\n1. **URGENT**: Rotate OpenAI API key immediately\n2. **HIGH**: Remove .env from git history using git-filter-repo\n3. **MEDIUM**: Add missing patterns to .gitignore\n4. **LOW**: Set up pre-commit hooks for ongoing protection\n\n## Commands to Execute\n\n```bash\n# Step 1: Create backup\ngit clone --mirror . ../repo-backup-$(date +%Y%m%d)\n\n# Step 2: Remove sensitive files from history\ngit filter-repo --path .env --invert-paths\n\n# Step 3: Update .gitignore\necho \".env\" >> .gitignore\necho \"*.pem\" >> .gitignore\n\n# Step 4: Force push\ngit push origin --force --all\n```\n\n```\n\n---\n\n## 10. Best Practices\n\n### Development Workflow\n\n1. **Never commit secrets** - Use environment variables\n2. **Use .env.example** - Document required variables without values\n3. **Git hooks from day one** - Install pre-commit hooks immediately\n4. **Regular audits** - Run gitleaks weekly in CI/CD\n5. **Principle of least privilege** - Use separate keys for dev/staging/prod\n\n### Environment Variable Management\n\n```bash\n# .env.example (safe to commit)\nDATABASE_URL=postgresql://user:password@localhost:5432/mydb\nOPENAI_API_KEY=your_openai_key_here\nSTRIPE_SECRET_KEY=your_stripe_key_here\n\n# .env (NEVER commit)\nDATABASE_URL=postgresql://realuser:[email protected]:5432/proddb\nOPENAI_API_KEY=sk-abc123...\nSTRIPE_SECRET_KEY=sk_live_abc123...\n```\n\n### Secret Management Tools\n\nFor production applications, use dedicated secret management:\n\n- **AWS Secrets Manager**\n- **HashiCorp Vault**\n- **Google Secret Manager**\n- **Azure Key Vault**\n- **Doppler**\n- **1Password Secrets Automation**\n\n### Team Training\n\n1. Educate team on risks of committed secrets\n2. Establish code review checklist for secrets\n3. Create incident response procedures\n4. Regular security awareness sessions\n5. Maintain up-to-date .gitignore templates\n\n### Gitignore Template\n\n```gitignore\n# Environment files\n.env\n.env.*\n*.env\n.envrc\n!.env.example\n!.env.template\n\n# Credentials\ncredentials.json\n*-credentials.json\nservice-account*.json\nsecrets.yml\nsecrets.json\n*.secret\napi_keys.*\nauth.json\n\n# Private keys\n*.pem\n*.key\n*.p12\n*.pfx\nid_rsa\nid_rsa.*\nid_ed25519\nid_ed25519.*\nid_ecdsa\nid_ecdsa.*\n*.keystore\n*.jks\n\n# Cloud provider\n.aws/\n.gcp/\n.azure/\nkubeconfig\n.kube/\n\n# Package manager auth\n.npmrc\n.yarnrc.yml\n.pypirc\n.gem/credentials\n.docker/config.json\n\n# IDE (may contain secrets)\n.idea/\n.vscode/settings.json\n*.sublime-workspace\n\n# Logs (may contain secrets)\n*.log\nlogs/\n\n# Database\n*.sql\n!schema.sql\n!migrations/*.sql\n\n# OS files\n.DS_Store\nThumbs.db\n```\n\n---\n\n## Quick Reference Commands\n\n```bash\n# === SCANNING ===\n# Quick file scan\nfind . -name \".env*\" -o -name \"*.pem\" -o -name \"*.key\" | grep -v node_modules\n\n# Quick history scan\ngit log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'\n\n# Full gitleaks scan\ngitleaks detect --source . --verbose\n\n# === CLEANING ===\n# Remove file from history\ngit filter-repo --path .env --invert-paths --force\n\n# Force push after clean\ngit push origin --force --all\n\n# === PREVENTION ===\n# Install git-secrets\nbrew install git-secrets && git secrets --install && git secrets --register-aws\n\n# Install gitleaks pre-commit\ncat > .pre-commit-config.yaml \u003c\u003c EOF\nrepos:\n - repo: https://github.com/gitleaks/gitleaks\n rev: v8.18.1\n hooks:\n - id: gitleaks\nEOF\npre-commit install\n```\n\n---\n\n**Remember**: Removing secrets from git history does NOT make them safe. Always rotate leaked credentials immediately. Cleaning history is for compliance and reducing exposure, not security.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":31462,"content_sha256":"c3eda14b79ab8b9ce3f328ae50a145ef6095f044cd41e68408a22aa47415c8d5"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Open Source Checker","type":"text"}]},{"type":"paragraph","content":[{"text":"Expert in detecting private information, secrets, and sensitive data in codebases before open sourcing a repository.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use This Skill","type":"text"}]},{"type":"paragraph","content":[{"text":"Use when you're:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Preparing to open source a repository","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Reviewing code for exposed secrets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Auditing codebase for sensitive data","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Performing security audits before public release","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Setting up pre-commit hooks for secret detection","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"What to Check","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Critical Items","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"API keys (OpenAI, Stripe, AWS, GitHub tokens)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Database credentials and connection strings","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Private keys and certificates (","type":"text"},{"text":".pem","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":".key","type":"text","marks":[{"type":"code_inline"}]},{"text":")","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Personal information (emails, phone numbers)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Environment files (","type":"text"},{"text":".env","type":"text","marks":[{"type":"code_inline"}]},{"text":" should be gitignored)","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Git History (CRITICAL)","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Secrets remain in git history even after deletion","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Must scan all branches, tags, and deleted files","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Use ","type":"text"},{"text":"gitleaks","type":"text","marks":[{"type":"code_inline"}]},{"text":", ","type":"text"},{"text":"truffleHog","type":"text","marks":[{"type":"code_inline"}]},{"text":", or ","type":"text"},{"text":"git-secrets","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Quick Workflow","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"File scan","type":"text","marks":[{"type":"strong"}]},{"text":": Check for secret files, patterns","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Code analysis","type":"text","marks":[{"type":"strong"}]},{"text":": Search for hardcoded secrets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Git history","type":"text","marks":[{"type":"strong"}]},{"text":": Scan entire history with tools","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Setup hooks","type":"text","marks":[{"type":"strong"}]},{"text":": Prevent future commits with secrets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Clean history","type":"text","marks":[{"type":"strong"}]},{"text":": Use ","type":"text"},{"text":"git-filter-repo","type":"text","marks":[{"type":"code_inline"}]},{"text":" if needed","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"gitleaks","type":"text","marks":[{"type":"code_inline"}]},{"text":": Best for git history scanning","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"truffleHog","type":"text","marks":[{"type":"code_inline"}]},{"text":": Alternative history scanner","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"git-secrets","type":"text","marks":[{"type":"code_inline"}]},{"text":": AWS-focused with pre-commit hooks","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"detect-secrets","type":"text","marks":[{"type":"code_inline"}]},{"text":": Baseline-based detection","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Full guide: Patterns, scanning workflow, git hooks, cleanup","type":"text","marks":[{"type":"link","attrs":{"href":"references/full-guide.md","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"open-source-checker","author":"@skillopedia","source":{"stars":24,"repo_name":"library","origin_url":"https://github.com/shipshitdev/library/blob/HEAD/skills/open-source-checker/SKILL.md","repo_owner":"shipshitdev","body_sha256":"2ad885dbf42537c859ecacfaefe81d8d3cf694d53972246d1eee2b94fa0f73c2","cluster_key":"b328e41e465b7e7a916c994ee9dc618f43ae32d541a22091218709e15efd7415","clean_bundle":{"format":"clean-skill-bundle-v1","source":"shipshitdev/library/skills/open-source-checker/SKILL.md","attachments":[{"id":"d1af2367-61ea-5091-addf-48c573f3fb6e","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/d1af2367-61ea-5091-addf-48c573f3fb6e/attachment.json","path":"plugin.json","size":343,"sha256":"8d98b2de7f90a081279313bd9fb31e57c9b57620542303b9b5ceec353bdb14d7","contentType":"application/json; charset=utf-8"},{"id":"07bbc1b0-fb8c-54f2-8e96-a76e20a1bde7","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/07bbc1b0-fb8c-54f2-8e96-a76e20a1bde7/attachment.md","path":"references/full-guide.md","size":31462,"sha256":"c3eda14b79ab8b9ce3f328ae50a145ef6095f044cd41e68408a22aa47415c8d5","contentType":"text/markdown; charset=utf-8"}],"bundle_sha256":"e131c5a5eca72cfd6e134d245065aa7b78b064119be98772d8707460f1b3349f","attachment_count":2,"text_attachments":2,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":2,"skill_md_path":"skills/open-source-checker/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":1},"version":"v1","category":"security","metadata":{"tags":"open-source, security, secrets","version":"1.0.0"},"import_tag":"clean-skills-v1","description":"Expert in detecting private information, secrets, API keys, credentials, and sensitive data in codebases before open sourcing"}},"renderedAt":1782987261958}

Open Source Checker Expert in detecting private information, secrets, and sensitive data in codebases before open sourcing a repository. When to Use This Skill Use when you're: - Preparing to open source a repository - Reviewing code for exposed secrets - Auditing codebase for sensitive data - Performing security audits before public release - Setting up pre-commit hooks for secret detection What to Check Critical Items - API keys (OpenAI, Stripe, AWS, GitHub tokens) - Database credentials and connection strings - Private keys and certificates ( , ) - Personal information (emails, phone numbe…