Git Security Scanner

Scan your git repositories for leaked secrets, credentials, and security vulnerabilities in one command. Combines gitleaks (pattern-based secret detection) and shipguard (48+ SAST rules across 7 security layers) into a unified scanner with merged reporting.

What You Get

Two Scanning Engines

Engine	What it does	Rules
gitleaks	Pattern-based secret detection across files and git history	400+ built-in rules, custom `.gitleaks.toml` support
shipguard

Static analysis for secrets, shell injection, code injection, supply chain, config issues | 48+ rules: SEC-001–015, SHELL-001–009, PY-001–012, JS-001–008, GHA-001–005, CFG-001–003, SC-001–006 |

Scanning Modes

Mode	Command	What it checks
Quick scan	INLINECODE1	Current working tree
Staged only

What It Catches

Secrets (gitleaks + shipguard SEC rules):

- API keys (AWS, GCP, Azure, OpenAI, Anthropic, Stripe, GitHub, Slack, etc.)
Database connection strings with embedded passwords
SSH private keys and PEM files
JWT tokens and session secrets
Hardcoded passwords in config files
INLINECODE5 files accidentally staged
Credentials in comments or docstrings

Code vulnerabilities (shipguard SAST rules):

- Shell command injection (SHELL-001–009)
Python code injection: eval(), exec(), unsafe pickle, SQL injection (PY-001–012)
JavaScript injection: innerHTML, eval(), prototype pollution (JS-001–008)
GitHub Actions injection: script injection, unpinned actions (GHA-001–005)
Config issues: debug mode in production, permissive CORS, exposed admin routes (CFG-001–003)
Supply chain: unpinned dependencies, missing lockfiles, unsigned artifacts (SC-001–006)

Output Formats

Format	Flag	Use case
Terminal (default)	INLINECODE16	Color-coded findings with severity icons
Markdown

Installation

Prerequisites

CODEBLOCK0

Install the Skill

CODEBLOCK1

This adds the git-security-scan wrapper script and the skill definition.

Set Up Pre-Commit Hook

CODEBLOCK2

This installs a pre-commit hook in the current repo that runs git-security-scan --staged-only --severity high on every commit. Commits with critical or high severity findings are blocked.

Usage

CLI

CODEBLOCK3

AI Assistant Prompts

Quick scan:

"Scan this repo for leaked secrets and security vulnerabilities"

Pre-commit setup:

"Set up pre-commit hooks to block secrets before they're committed"

Full history audit:

"Audit the entire git history for any credentials that were ever committed"

Custom rules:

"Add a gitleaks rule to catch hardcoded Proxmox API tokens"

Targeted scan:

"Run shipguard on just the Python files with severity high or above"

Configuration

gitleaks (`.gitleaks.toml`)

Create in your repo root to add custom secret patterns:

CODEBLOCK4

shipguard (`.shipguard.yml`)

Create in your repo root to configure SAST rules:

CODEBLOCK5

Pre-commit config (`.shipguard-precommit.yml`)

Stricter settings for the pre-commit hook:

CODEBLOCK6

Report Example

Terminal output:

CODEBLOCK7

Remediation Workflow

When critical/high findings are detected:

1. Rotate the credential — Assume it's compromised if it was ever in git history
Remove from history — git filter-repo --invert-paths --path <file> or BFG Repo Cleaner
Add to .gitignore — Prevent re-staging of secret files
Use environment variables — Move secrets to .env (excluded from git) or a secret manager
Re-scan — Run git-security-scan --full-history to confirm the fix

Troubleshooting

Problem	Fix
VirusTotal "suspicious" warning on install	This is a false positive — the skill describes secret patterns and vulnerability types, which triggers pattern detection. Use `clawhub install git-security-scanner --force` to proceed. Review the SKILL.md yourself to confirm.
INLINECODE30 not found

brew install gitleaks (macOS) or download from gitleaks releases | | shipguard not found | pipx install shipguard or pip install shipguard | | No findings but secrets exist | Check if .gitleaks.toml or .shipguard.yml is excluding the path. Try --severity low to see all findings. | | Scan is slow | --full-history scans every commit. Use default mode (working tree only) for quick checks. |

Git Security Scanner

通过一条命令扫描你的 Git 仓库，检测泄露的密钥、凭据和安全漏洞。将 gitleaks（基于模式的密钥检测）和 shipguard（覆盖 7 个安全层级的 48 条以上 SAST 规则）整合为一个统一的扫描器，并提供合并报告。

你获得的功能

两个扫描引擎

引擎	功能	规则
gitleaks	跨文件和 Git 历史进行基于模式的密钥检测	400+ 内置规则，支持自定义 .gitleaks.toml
shipguard

对密钥、Shell 注入、代码注入、供应链、配置问题进行静态分析 | 48+ 条规则：SEC-001–015, SHELL-001–009, PY-001–012, JS-001–008, GHA-001–005, CFG-001–003, SC-001–006 |

扫描模式

模式	命令	检查内容
快速扫描	git-security-scan	当前工作树
仅暂存区

它能捕获什么

密钥（gitleaks + shipguard SEC 规则）：

- API 密钥（AWS、GCP、Azure、OpenAI、Anthropic、Stripe、GitHub、Slack 等）
包含嵌入式密码的数据库连接字符串
SSH 私钥和 PEM 文件
JWT 令牌和会话密钥
配置文件中的硬编码密码
意外暂存的 .env 文件
注释或文档字符串中的凭据

代码漏洞（shipguard SAST 规则）：

- Shell 命令注入（SHELL-001–009）
Python 代码注入：eval()、exec()、不安全的 pickle、SQL 注入（PY-001–012）
JavaScript 注入：innerHTML、eval()、原型污染（JS-001–008）
GitHub Actions 注入：脚本注入、未固定版本的操作（GHA-001–005）
配置问题：生产环境中的调试模式、宽松的 CORS、暴露的管理路由（CFG-001–003）
供应链：未固定版本的依赖、缺失的锁文件、未签名的制品（SC-001–006）

输出格式

格式	标志	使用场景
终端（默认）	--format terminal	带严重级别图标的彩色编码结果
Markdown

安装

前提条件

bash

macOS

brew install gitleaks
pipx install shipguard # 或：pip install shipguard

Linux

gitleaks：从 https://github.com/gitleaks/gitleaks/releases 下载

shipguard：

pipx install shipguard

安装技能

bash
clawhub install git-security-scanner

这将添加 git-security-scan 包装脚本和技能定义。

设置预提交钩子

bash
git-security-scan --install-hooks

这会在当前仓库中安装一个预提交钩子，每次提交时运行 git-security-scan --staged-only --severity high。严重或高严重级别的发现将被阻止提交。

使用方法

CLI

bash

扫描当前目录

git-security-scan

扫描特定项目

git-security-scan /path/to/project

预提交模式（仅暂存文件，阻止高严重级别及以上）

git-security-scan --staged-only --severity high

完整 Git 历史审计

git-security-scan --full-history

生成 Markdown 报告

git-security-scan --format markdown --output report.md

用于 CI 管道的 JSON

git-security-scan --format json --output .security-reports/scan.json

跳过某个引擎

git-security-scan --skip-gitleaks # 仅 shipguard git-security-scan --skip-shipguard # 仅 gitleaks

AI 助手提示

快速扫描：

扫描此仓库以查找泄露的密钥和安全漏洞

预提交设置：

设置预提交钩子，在提交前阻止密钥泄露

完整历史审计：

审计整个 Git 历史，查找曾经提交过的任何凭据

自定义规则：

添加一条 gitleaks 规则，用于捕获硬编码的 Proxmox API 令牌

定向扫描：

仅对 Python 文件运行 shipguard，严重级别为高或以上

配置

gitleaks（.gitleaks.toml）

在仓库根目录创建，以添加自定义密钥模式：

toml
[extend]
useDefault = true

[[rules]]
id = proxmox-api-token
description = Proxmox API Token
regex = PVEAPIToken=[A-Za-z0-9@!]+:[A-Za-z0-9-]+

shipguard（.shipguard.yml）

在仓库根目录创建，以配置 SAST 规则：

yaml
severity_threshold: medium
exclude_paths:
- tests/fixtures/
- node_modules/
- *.min.js
disable_rules:
- JS-008 # 跳过特定规则

预提交配置（.shipguard-precommit.yml）

为预提交钩子设置更严格的配置：

yaml
severity_threshold: high
exclude_paths:
- tests/
- docs/

报告示例

终端输出：

============================================================
Git Security Scan Report
============================================================
目录：/home/user/my-project
时间戳：2026-03-19T10:30:00Z
工具： gitleaks（2 个发现）
shipguard（3 个发现）

发现：5 严重：1 高：1 中：3

🔴 [严重] aws-access-key-id (gitleaks)
config/settings.py:42
检测到 AWS 访问密钥 ID
> AKIAIOSFODNN7EXAMPLE
修复：立即轮换此凭据。从 Git 历史中移除。

🟠 [高] SEC-003 (shipguard)
src/api.py:18
连接字符串中的硬编码数据库密码
> db_url = postgres://admin:p4ssw0rd@localhost/app
修复：使用环境变量代替硬编码凭据。

🟡 [中] PY-003 (shipguard)
src/utils.py:55
使用 eval() 处理用户控制的输入
> result = eval(user_expression)
修复：使用 ast.literal_eval() 或安全的表达式解析器。

修复工作流程

当检测到严重/高严重级别发现时：

1. 轮换凭据 — 如果它曾存在于 Git 历史中，则视为已泄露
从历史中移除 — git filter-repo --invert-paths --path 或 BFG Repo Cleaner
添加到 .gitignore — 防止重新暂存密钥文件
使用环境变量 — 将密钥移至 .env（排除在 Git 之外）或密钥管理器
重新扫描 — 运行 git-security-scan --full-history 以确认修复

故障排除

问题	修复
安装时 VirusTotal 显示“可疑”警告	这是误报——该技能描述了密钥模式和漏洞类型，触发了模式检测。使用 clawhub install git-security-scanner --force 继续。自行查看 SKILL.md 以确认。
未找到 gitleaks

Git Security ScannerGit安全扫描器