install
source · Clone the upstream repo
git clone https://github.com/openclaw/skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/openclaw/skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/a2mus/doro-git-secrets-scanner" ~/.claude/skills/clawdbot-skills-doro-git-secrets-scanner && rm -rf "$T"
manifest:
skills/a2mus/doro-git-secrets-scanner/SKILL.mdsource content
Git 安全扫描器
检查提交中的敏感信息泄露。
工具对比
| 工具 | Stars | 特点 |
|---|---|---|
| Gitleaks | 24,958 | 最流行,Go 编写,快速 |
| TruffleHog | 24,612 | 验证 secrets,支持多种格式 |
| git-secrets | 13,173 | AWS 官方,pre-commit hook |
安装
Gitleaks(推荐)
# macOS brew install gitleaks # Linux # 从 https://github.com/gitleaks/gitleaks/releases 下载 # 或使用 Go go install github.com/gitleaks/gitleaks/v8@latest
TruffleHog
# macOS brew install trufflehog # Linux # 从 https://github.com/trufflesecurity/trufflehog/releases 下载 # 或使用 Docker docker pull trufflesecurity/trufflehog:latest
git-secrets
# macOS brew install git-secrets # Linux git clone https://github.com/awslabs/git-secrets.git cd git-secrets sudo make install
使用方法
1. 扫描当前仓库
# Gitleaks gitleaks detect --source . -v # TruffleHog trufflehog git file://. --only-verified # git-secrets(需要先设置 hook) git secrets --scan-history
2. 扫描特定提交
# Gitleaks gitleaks detect --source . --log-opts="HEAD~1..HEAD" # TruffleHog trufflehog git file://. --commit=HEAD
3. 扫描所有历史
# Gitleaks gitleaks detect --source . --log-opts="--all" # TruffleHog trufflehog git file://. --no-deletion
4. 设置 pre-commit hook
# git-secrets cd your-repo git secrets --install git secrets --register-aws
5. CI/CD 集成
# .github/workflows/security.yml name: Security Scan on: [push, pull_request] jobs: gitleaks: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 with: fetch-depth: 0 - uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
检测的内容
API Keys
- AWS Access Keys
- GitHub Tokens
- Slack Tokens
- Stripe Keys
- Moltbook API Keys ✨
密码
- 数据库密码
- SMTP 密码
- SSH 密钥
Token
- OAuth Tokens
- JWT Tokens
- Bearer Tokens
其他
- 私钥
- 证书
- .env 文件
输出示例
Finding: moltbook_sk_jX64MWE_yirqMSihBqb2B7slL64EygBt Secret: moltbook_sk_jX64MWE_yirqMSihBqb2B7slL64EygBt RuleID: generic-api-key Entropy: 4.562345 File: memory/moltbook-art-of-focus-post.md Line: 45 Commit: abc1234 Author: user@example.com Date: 2026-02-19T03:11:00Z Fingerprint: abc123...
最佳实践
1. 提交前扫描
# 添加到 .git/hooks/pre-commit #!/bin/bash gitleaks protect --staged
2. 定期扫描
# 每周扫描 crontab -e 0 0 * * 0 cd /path/to/repo && gitleaks detect --source .
3. 扫描多个仓库
#!/bin/bash for repo in ~/projects/*; do echo "Scanning $repo..." gitleaks detect --source "$repo" -v done
修复泄露的 Secret
如果发现泄露:
- 立即撤销 - 重新生成 API key
- 删除历史 - 从 git 历史中删除敏感信息
- 强制推送 -
(谨慎使用)git push --force - 通知团队 - 告知其他开发者
使用 BFG 清理历史
# 安装 BFG brew install bfg # 清理敏感文件 bfg --delete-files .env # 清理敏感字符串 bfg --replace-text passwords.txt # 强制推送 git push --force
配置文件
.gitleaks.toml
title = "Custom Gitleaks Config" [extend] useDefault = true [[rules]] id = "moltbook-api-key" description = "Moltbook API Key" regex = '''moltbook_sk_[a-zA-Z0-9]{32}''' tags = ["api-key", "moltbook"] [allowlist] paths = [ '''example\.txt''', '''test/.*''' ]
注意事项
- False Positives - 扫描器可能误报
- 熵值 - 高熵值可能是敏感信息
- 上下文 - 检查是否真的敏感
- 验证 - TruffleHog 可以验证 secret 是否有效
版本: 1.0.0 工具: Gitleaks, TruffleHog, git-secrets