Git Safety Skill

Comprehensive security scanning, cleaning, and prevention for git repositories.

CRITICAL WARNING

Removing secrets from git history does NOT make them safe!

Even after cleaning git history:

• GitHub is scraped by bots within seconds of a push
• Archive services may have captured snapshots
• Forks retain the original history
• CI/CD logs may contain the values

ALWAYS rotate leaked credentials immediately. Cleaning history is NOT enough.

Modes of Operation

1. /git-safety scan – Detect Sensitive Files

Scan repository for sensitive files in current state and git history.

2. /git-safety clean – Remove from History

Remove sensitive files using git-filter-repo or BFG.

3. /git-safety prevent – Set Up Prevention

Configure .gitignore and pre-commit hooks.

4. /git-safety full – Complete Audit

Run all three operations in sequence.

Sensitive File Patterns

.env, .env.*, credentials.json, service-account*.json
*.pem, *.key, id_rsa*, secrets.*, .npmrc, *.secret

Quick Commands

Scan for sensitive files in history:

git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'

Remove .env from all history:

git filter-repo --path .env --invert-paths --force
git push origin --force --all

Add to .gitignore:

echo -e "\n.env\n.env.*\n*.pem\n*.key\ncredentials.json" >> .gitignore

Emergency Response

If you’ve leaked credentials:

1. IMMEDIATELY rotate the credential
2. Check access logs
3. Run /git-safety clean
4. Force push cleaned history
5. Notify team to re-clone
6. Update .gitignore
7. Set up pre-commit hooks

For complete scan commands, cleaning process with git-filter-repo/BFG, pre-commit hook setup, .gitignore templates, platform-specific guidance, and detailed emergency checklist, see: references/full-guide.md