playbooks

home / skills / shipshitdev / library / open-source-checker

open-source-checker skill

/bundles/workspace/skills/open-source-checker

This skill helps you detect private information, secrets, and sensitive data in codebases before open sourcing, ensuring secure releases.

npx playbooks add skill shipshitdev/library --skill open-source-checker

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
1.6 KB
---
name: open-source-checker
description: Expert in detecting private information, secrets, API keys, credentials, and sensitive data in codebases before open sourcing
---

# Open Source Checker

Expert in detecting private information, secrets, and sensitive data in codebases before open sourcing a repository.

## When to Use This Skill

Use when you're:

- Preparing to open source a repository
- Reviewing code for exposed secrets
- Auditing codebase for sensitive data
- Performing security audits before public release
- Setting up pre-commit hooks for secret detection

## What to Check

### Critical Items

- API keys (OpenAI, Stripe, AWS, GitHub tokens)
- Database credentials and connection strings
- Private keys and certificates (`.pem`, `.key`)
- Personal information (emails, phone numbers)
- Environment files (`.env` should be gitignored)

### Git History (CRITICAL)

- Secrets remain in git history even after deletion
- Must scan all branches, tags, and deleted files
- Use `gitleaks`, `truffleHog`, or `git-secrets`

## Quick Workflow

1. **File scan**: Check for secret files, patterns
2. **Code analysis**: Search for hardcoded secrets
3. **Git history**: Scan entire history with tools
4. **Setup hooks**: Prevent future commits with secrets
5. **Clean history**: Use `git-filter-repo` if needed

## Tools

- `gitleaks`: Best for git history scanning
- `truffleHog`: Alternative history scanner
- `git-secrets`: AWS-focused with pre-commit hooks
- `detect-secrets`: Baseline-based detection

## References

- [Full guide: Patterns, scanning workflow, git hooks, cleanup](references/full-guide.md)

Overview

This skill detects private information, secrets, API keys, credentials, and other sensitive data in codebases before a repository is made public. It focuses on both current files and git history to prevent accidental exposure. The goal is to help developers find and remediate secrets quickly and integrate prevention into their workflow.

How this skill works

The skill scans files for common secret patterns and known secret file names, performs targeted code analysis to locate hardcoded credentials, and examines git history across branches and tags to catch removed or rotated secrets. It recommends and integrates proven CLI tools for deep history scanning and provides steps for cleanup and preventive hooks.

When to use it

  • Preparing to open source a repository or share code publicly
  • Performing pre-release security audits or code reviews
  • Setting up pre-commit or CI checks to block secrets
  • Conducting compliance checks for exposed credentials
  • Cleaning a repo after discovering leaked keys or certificates

Best practices

  • Scan both working tree and full git history, including branches and tags
  • Treat .env, .pem, .key, and config files as sensitive and gitignore them
  • Use baseline-based detection to reduce false positives and tune rules
  • Install pre-commit hooks to block secrets at commit time
  • If a secret is found, rotate credentials immediately and scrub history using git-filter-repo

Example use cases

  • Run a pre-release scan to ensure no API keys or DB credentials are exposed
  • Audit a forked project for accidentally committed personal data before publishing
  • Integrate gitleaks or detect-secrets into CI to fail builds on detected secrets
  • Clean a repository that previously contained a private certificate using history rewrite
  • Set up git-secrets to block AWS keys from entering commits

FAQ

Why scan git history and not just current files?

Secrets can remain in commits, branches, or tags even after deletion; scanning history ensures removed or rotated credentials are not recoverable from the repo.

Which tool should I start with?

Start with gitleaks for a broad history scan and detect-secrets for baseline-based, tunable file scanning; add git-secrets or pre-commit hooks for ongoing prevention.

What if I find a leaked secret?

Immediately rotate or revoke the credential, remove it from the repository history with a history-rewriting tool, and force-push the cleaned branches while notifying affected parties.