Agent skill

security-leak-guardrails

Sets up secret-leak prevention guardrails with forbidden path checks, gitleaks config, CI secret scanning, and dependency updates. Use when hardening repos against credential leaks or when adding gitleaks, trufflehog, git hooks, or security checks.

View SKILL.md on GitHub Repository
Stars 37
Forks 4

Install this agent skill to your Project

npx add-skill https://github.com/regenrek/agent-skills/tree/main/skills/security-leak-guardrails

SKILL.md

Security Leak Guardrails

Reusable workflow for preventing secrets from entering git and for continuously scanning a repo for leaks.

Quick start

  1. Inventory existing security tooling (gitleaks/trufflehog, hooks, workflows, dependabot).
  2. Add forbidden-path checks and the hook script.
  3. Add gitleaks config and a local security check script.
  4. Add CI secret scanning and Dependabot.
  5. Update .gitignore and document the policy.

Workflow

Step 1: Inventory

  • Check for existing .gitleaks.toml, .github/workflows/secret, dependabot.yml, and hook tooling.
  • If the repo already uses hooks (husky/lefthook/pre-commit), integrate instead of replacing.

Step 2: Forbidden paths + hook

  • Add .forbidden-paths.regex and keep it strict (no secrets in allowlists).
  • Add scripts/hooks/block-forbidden-staged-files.mjs.
  • If the repo is Node-based, add lefthook.yml and a prepare script to install hooks.

Step 3: Gitleaks

  • Add .gitleaks.toml with path-based allowlists only for test fixtures.

Step 4: Local security check

  • Add scripts/secleak-check.sh.
  • If Node-based, add scripts in package.json: security:check and security:hooks.

Step 5: CI secret scanning

  • Add a workflow that runs TruffleHog (diff and full history) and Gitleaks.
  • Pin actions by SHA and use --only-verified for TruffleHog.

Step 6: Dependabot

  • Add dependabot.yml for npm and GitHub Actions.

Step 7: .gitignore

  • Add runtime dirs and credential patterns to avoid accidental commits.

Validation

  • Run: node scripts/hooks/block-forbidden-staged-files.mjs
  • Run: gitleaks git --no-banner --redact=100 --config .gitleaks.toml .
  • Run: trivy fs --scanners secret,misconfig --exit-code 1 .

References

  • Templates: reference.md
  • Examples: examples.md

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

regenrek/agent-skills

shadcn-vite-iconify-landing-page

Build, critique, and iterate high-converting marketing or product landing pages using React + Vite + TypeScript + Tailwind and shadcn/ui components, with all icons sourced from Iconify. Use when the user asks for a landing page, sales page, signup page, CRO improvements, above-the-fold vs below-the-fold structure, hero + CTA copy, section order, or wants production-ready shadcn + Vite code.

37 4
Explore
regenrek/agent-skills

homebrew-publish

Publish CLIs/TUIs to Homebrew via a personal tap. Use when asked to create or manage a Homebrew tap repo, generate or update formulae, compute sha256, test installs, or ship new releases for Go, Rust, Node/TypeScript, Python, or prebuilt binaries.

37 4
Explore
regenrek/agent-skills

architecture-ownership

Determine runtime owner, first-fix layer, and canonical long-term module or package owner in layered codebases. Use when placing code across UI vs platform shell vs runtime orchestration vs domain or application vs shared core vs adapter or integration layers, debugging ownership issues, removing duplicate policy paths, or answering "where should this live?" architecture questions.

37 4
Explore
regenrek/agent-skills

codex-analysis

Run Codex CLI for deep code analysis and second-opinion reviews. Use when the user explicitly asks for Codex analysis, Codex help, or wants a second opinion from Codex on code, architecture, or debugging questions.

37 4
Explore
regenrek/agent-skills

go-local-health

Run local Go health checks (tests, coverage, lint) in Go repositories that contain go.mod/go.sum. Use when the user asks to run or interpret local Go test/coverage/lint workflows using tools like lazygotest, gocovsh, tparse, and golangci-lint. Do not use for Rust or non-Go projects.

37 4
Explore
regenrek/agent-skills

codex-sandbox

Create and manage per-task isolated git clones (sandboxes) for Codex CLI sessions, with automatic branch creation and safety hooks that block committing/pushing on main/master. Use when running multiple Codex sessions or parallel tasks and you want to avoid git worktree friction, cwd/branch mixups, or environment collisions.

37 4
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results