playbooks

home / skills / shipshitdev / library / git-safety

git-safety skill

/bundles/github/skills/git-safety

This skill scans git history for secrets, cleans leaked files, and sets up prevention to protect your repository.

npx playbooks add skill shipshitdev/library --skill git-safety

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
2.1 KB
---
name: git-safety
description: Scan git history for sensitive files, clean leaked credentials, and set up prevention measures. Use when asked to "check for secrets", "scan git history", "remove .env from history", "secure my repo", or "clean sensitive files".
---

# Git Safety Skill

Comprehensive security scanning, cleaning, and prevention for git repositories.

## CRITICAL WARNING

**Removing secrets from git history does NOT make them safe!**

Even after cleaning git history:

- GitHub is scraped by bots within seconds of a push
- Archive services may have captured snapshots
- Forks retain the original history
- CI/CD logs may contain the values

**ALWAYS rotate leaked credentials immediately.** Cleaning history is NOT enough.

## Modes of Operation

### 1. `/git-safety scan` - Detect Sensitive Files

Scan repository for sensitive files in current state and git history.

### 2. `/git-safety clean` - Remove from History

Remove sensitive files using git-filter-repo or BFG.

### 3. `/git-safety prevent` - Set Up Prevention

Configure .gitignore and pre-commit hooks.

### 4. `/git-safety full` - Complete Audit

Run all three operations in sequence.

## Sensitive File Patterns

```
.env, .env.*, credentials.json, service-account*.json
*.pem, *.key, id_rsa*, secrets.*, .npmrc, *.secret
```

## Quick Commands

**Scan for sensitive files in history:**

```bash
git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'
```

**Remove .env from all history:**

```bash
git filter-repo --path .env --invert-paths --force
git push origin --force --all
```

**Add to .gitignore:**

```bash
echo -e "\n.env\n.env.*\n*.pem\n*.key\ncredentials.json" >> .gitignore
```

## Emergency Response

If you've leaked credentials:

1. **IMMEDIATELY rotate the credential**
2. Check access logs
3. Run `/git-safety clean`
4. Force push cleaned history
5. Notify team to re-clone
6. Update .gitignore
7. Set up pre-commit hooks

---

**For complete scan commands, cleaning process with git-filter-repo/BFG, pre-commit hook setup, .gitignore templates, platform-specific guidance, and detailed emergency checklist, see:** `references/full-guide.md`

Overview

This skill scans git repositories for sensitive files, removes leaked secrets from history, and sets up preventative measures to reduce future leaks. It bundles detection, history-rewriting cleanups, and repository hygiene automation into a single workflow. Use it as an audit tool or during incident response to help contain exposures.

How this skill works

The skill inspects the current working tree and full git history for known sensitive filename patterns and additions. It can run history-rewriting tools (git-filter-repo or BFG) to remove files from past commits and then helps force-push cleaned branches. It also generates .gitignore entries and pre-commit hooks to prevent reintroducing secrets.

When to use it

  • When you want to check a repo for leaked secrets or sensitive files
  • If you discover credentials or .env files committed to a branch
  • As part of a post-incident cleanup after a credential leak
  • When onboarding a repo and you want to harden its history
  • Before making a repository public or handing it to external teams

Best practices

  • Always rotate leaked credentials immediately — rewriting history is not sufficient
  • Scan both the current tree and the full commit history, including forks and mirrors
  • Force-push cleaned branches only after coordinating the team and instructing a fresh clone
  • Add sensitive patterns to .gitignore and install pre-commit secret scanners
  • Keep a tested recovery plan: backups, CI credential audits, and access log checks

Example use cases

  • Scan a repository for patterns like .env, *.pem, credentials.json and list matching commits
  • Remove .env from all commits using git-filter-repo and force-push cleaned branches
  • Set up a pre-commit hook to block commits containing private keys or API tokens
  • Run a full audit sequence: scan, clean history, update .gitignore, and enforce hooks
  • Emergency workflow: rotate compromised keys, clean history, notify team, and re-clone

FAQ

Does removing a secret from git history make it safe?

No. History rewriting helps remove exposure from the repository, but you must rotate credentials because bots, mirrors, forks, and logs may have already captured values.

Which tool should I use to remove files from history?

git-filter-repo is recommended for robust rewriting; BFG is an alternative that is simpler for common cases. Both require careful use and a coordinated force-push.

What steps do team members need to take after a history rewrite?

Everyone must fetch the new history, re-clone or reset local branches, and avoid pushing old references. Communicate the change and provide explicit re-clone instructions.