SkillHub
SkillHubagent skills marketplace
Menu
All SkillsStacksKOLHotRankings
Sign inGet Pro
Back to skills
SkillHub ClubShip Full StackFull StackBackend

doro-git-secrets-scanner

Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token)

Packaged view

This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.

Stars
3,070
Hot score
99
Updated
March 20, 2026
Overall rating
C4.6
Composite score
4.6
Best-practice grade
B75.1

Install command

npx @skill-hub/cli install openclaw-skills-doro-git-secrets-scanner

Repository

openclaw/skills

Skill path: skills/a2mus/doro-git-secrets-scanner

Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token)

Open repository

Best for

Primary workflow: Ship Full Stack.

Technical facets: Full Stack, Backend.

Target audience: everyone.

License: Unknown.

Original source

Catalog source: SkillHub Club.

Repository owner: openclaw.

This is still a mirrored public skill entry. Review the repository before installing into production workflows.

What it helps with

  • Install doro-git-secrets-scanner into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
  • Review https://github.com/openclaw/skills before adding doro-git-secrets-scanner to shared team environments
  • Use doro-git-secrets-scanner for development workflows

Works across

Claude CodeCodex CLIGemini CLIOpenCode

Favorites: 0.

Sub-skills: 0.

Aggregator: No.

Original source / Raw SKILL.md

---
name: doro-git-secrets-scanner
description: Git 安全扫描器 - 检查提交中的敏感信息泄露(API keys、密码、token)
version: 1.0.0
metadata:
  openclaw:
    emoji: "🔒"
    category: "security"
    tags: ["security", "git", "secrets", "scanner", "gitleaks", "trufflehog"]
    requires:
      bins: ["git"]
---

# Git 安全扫描器

检查提交中的敏感信息泄露。

## 工具对比

| 工具 | Stars | 特点 |
|------|-------|------|
| **Gitleaks** | 24,958 | 最流行,Go 编写,快速 |
| **TruffleHog** | 24,612 | 验证 secrets,支持多种格式 |
| **git-secrets** | 13,173 | AWS 官方,pre-commit hook |

## 安装

### Gitleaks(推荐)

```bash
# macOS
brew install gitleaks

# Linux
# 从 https://github.com/gitleaks/gitleaks/releases 下载

# 或使用 Go
go install github.com/gitleaks/gitleaks/v8@latest
```

### TruffleHog

```bash
# macOS
brew install trufflehog

# Linux
# 从 https://github.com/trufflesecurity/trufflehog/releases 下载

# 或使用 Docker
docker pull trufflesecurity/trufflehog:latest
```

### git-secrets

```bash
# macOS
brew install git-secrets

# Linux
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
```

## 使用方法

### 1. 扫描当前仓库

```bash
# Gitleaks
gitleaks detect --source . -v

# TruffleHog
trufflehog git file://. --only-verified

# git-secrets(需要先设置 hook)
git secrets --scan-history
```

### 2. 扫描特定提交

```bash
# Gitleaks
gitleaks detect --source . --log-opts="HEAD~1..HEAD"

# TruffleHog
trufflehog git file://. --commit=HEAD
```

### 3. 扫描所有历史

```bash
# Gitleaks
gitleaks detect --source . --log-opts="--all"

# TruffleHog
trufflehog git file://. --no-deletion
```

### 4. 设置 pre-commit hook

```bash
# git-secrets
cd your-repo
git secrets --install
git secrets --register-aws
```

### 5. CI/CD 集成

```yaml
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
```

## 检测的内容

### API Keys
- AWS Access Keys
- GitHub Tokens
- Slack Tokens
- Stripe Keys
- Moltbook API Keys ✨

### 密码
- 数据库密码
- SMTP 密码
- SSH 密钥

### Token
- OAuth Tokens
- JWT Tokens
- Bearer Tokens

### 其他
- 私钥
- 证书
- .env 文件

## 输出示例

```
Finding:     moltbook_sk_jX64MWE_yirqMSihBqb2B7slL64EygBt
Secret:      moltbook_sk_jX64MWE_yirqMSihBqb2B7slL64EygBt
RuleID:      generic-api-key
Entropy:     4.562345
File:        memory/moltbook-art-of-focus-post.md
Line:        45
Commit:      abc1234
Author:      [email protected]
Date:        2026-02-19T03:11:00Z
Fingerprint: abc123...
```

## 最佳实践

### 1. 提交前扫描

```bash
# 添加到 .git/hooks/pre-commit
#!/bin/bash
gitleaks protect --staged
```

### 2. 定期扫描

```bash
# 每周扫描
crontab -e
0 0 * * 0 cd /path/to/repo && gitleaks detect --source .
```

### 3. 扫描多个仓库

```bash
#!/bin/bash
for repo in ~/projects/*; do
  echo "Scanning $repo..."
  gitleaks detect --source "$repo" -v
done
```

## 修复泄露的 Secret

如果发现泄露:

1. **立即撤销** - 重新生成 API key
2. **删除历史** - 从 git 历史中删除敏感信息
3. **强制推送** - `git push --force`(谨慎使用)
4. **通知团队** - 告知其他开发者

### 使用 BFG 清理历史

```bash
# 安装 BFG
brew install bfg

# 清理敏感文件
bfg --delete-files .env

# 清理敏感字符串
bfg --replace-text passwords.txt

# 强制推送
git push --force
```

## 配置文件

### .gitleaks.toml

```toml
title = "Custom Gitleaks Config"

[extend]
useDefault = true

[[rules]]
id = "moltbook-api-key"
description = "Moltbook API Key"
regex = '''moltbook_sk_[a-zA-Z0-9]{32}'''
tags = ["api-key", "moltbook"]

[allowlist]
paths = [
  '''example\.txt''',
  '''test/.*'''
]
```

## 注意事项

1. **False Positives** - 扫描器可能误报
2. **熵值** - 高熵值可能是敏感信息
3. **上下文** - 检查是否真的敏感
4. **验证** - TruffleHog 可以验证 secret 是否有效

---

*版本: 1.0.0*
*工具: Gitleaks, TruffleHog, git-secrets*


---

## Skill Companion Files

> Additional files collected from the skill directory layout.

### _meta.json

```json
{
  "owner": "a2mus",
  "slug": "doro-git-secrets-scanner",
  "displayName": "Doro Git Secrets Scanner",
  "latest": {
    "version": "1.0.0",
    "publishedAt": 1772001803473,
    "commit": "https://github.com/openclaw/skills/commit/7243fadffee22bdb2da7783166ddf4be7a897227"
  },
  "history": []
}

```