Precommit Secret Scan

2. Run gitleaks on staged files

# Get staged files
STAGED_FILES=$(git diff --staged --name-only)

if [ -z "$STAGED_FILES" ]; then
    echo "No staged files to scan"
    exit 0
fi

# Run gitleaks detect (v8+)
# --staged scans only staged changes
# --no-gitignore ignores .gitignore rules
gitleaks detect --staged --no-gitignore --verbose

3. Handle results

• Exit code 0: No secrets found → proceed with commit
• Exit code 1: Secrets found → block commit, show findings

4. If secrets found

echo "SECRETS DETECTED - Commit blocked!"
echo ""
echo "To bypass (DANGER), use: git commit --no-verify"
echo "Then rotate exposed credentials immediately"
exit 1

Integration with git

Option A: Pre-commit hook

# Create .git/hooks/pre-commit
cat > .git/hooks/pre-commit << 'EOF'
#!/bin/bash
source ~/.config/opencode/skills/precommit-secret-scan.sh
EOF
chmod +x .git/hooks/pre-commit

Option B: Manual check before commit

# Before committing, run this skill
git diff --staged | gitleaks detect --staged

Detected Secret Types

Gitleaks detects:

• AWS Access Keys
• GitHub Personal Access Tokens
• GitHub OAuth Tokens
• SSH Private Keys
• GCP Service Account Keys
• Azure API Keys
• Slack Tokens
• Stripe API Keys
• SendGrid API Keys
• Passwords in config files
• Private keys (.pem, .key)
• Database connection strings
• JWT tokens
• And many more...

Configuration (optional)

Create .gitleaks.toml in repo root:

[printer]
no-gitignore = true

[rules]
entropy = 5

Safety First

• NEVER commit secrets - even "test" credentials
• Rotate exposed secrets immediately if accidentally committed
• Use environment variables or secret managers (1Password, Bitwarden, AWS Secrets Manager)