From shipshitdev-library
Scans git repos for leaked secrets, rewrites history to remove them using git-filter-repo/BFG, and configures .gitignore and pre-commit hooks. Activate for security audits or scrubbing credentials.
How this skill is triggered — by the user, by Claude, or both
Slash command
/shipshitdev-library:git-safetyThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Inputs:
Inputs:
Outputs:
Creates/Modifies:
.gitignore and optional hook updatesExternal Side Effects:
Confirmation Required:
Delegates To:
security-audit for broader application-security reviewopen-source-checker before publishing a private repoRemoving secrets from git history does NOT make them safe!
Even after cleaning git history:
ALWAYS rotate leaked credentials immediately. Cleaning history is NOT enough.
/git-safety scan - Detect Sensitive FilesScan repository for sensitive files in current state and git history.
/git-safety clean - Remove from HistoryRemove sensitive files using git-filter-repo or BFG.
/git-safety prevent - Set Up PreventionConfigure .gitignore and pre-commit hooks.
/git-safety full - Complete AuditRun all three operations in sequence.
.env, .env.*, credentials.json, service-account*.json
*.pem, *.key, id_rsa*, secrets.*, .npmrc, *.secret
Scan for sensitive files in history:
git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'
Remove .env from all history:
git filter-repo --path .env --invert-paths --force
git push origin --force --all
Add to .gitignore:
echo -e "\n.env\n.env.*\n*.pem\n*.key\ncredentials.json" >> .gitignore
If you've leaked credentials:
/git-safety cleanFor complete scan commands, cleaning process with git-filter-repo/BFG, pre-commit hook setup, .gitignore templates, platform-specific guidance, and detailed emergency checklist, see: references/full-guide.md
npx claudepluginhub shipshitdev/skillsScan and remove secrets, API keys, PII from GitHub repo history with safety checks, backups, and verification.
Runs gitleaks scans for secret detection, validates configurations, and integrates with pre-commit hooks to prevent credential leaks in Git repos.
Scans git repositories for sensitive data including credentials, API keys, and PII. Supports full-scan and --diff mode for pre-commit checks.