Forge-core SecretScan

Commit-time secret scanning with gitleaks — prevent credentials from entering git history. USE WHEN scanning for leaked secrets, setting up pre-commit hooks, or auditing repositories for credentials.

install

source · Clone the upstream repo

git clone https://github.com/N4M3Z/forge-core

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/N4M3Z/forge-core "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/SecretScan" ~/.claude/skills/n4m3z-forge-core-secretscan && rm -rf "$T"

manifest: skills/SecretScan/SKILL.md

source content

SecretScan

Prevent secrets from entering git history using gitleaks.

Setup

Install

brew install gitleaks

Scan the working tree

gitleaks detect --source . --no-git

Scan git history

gitleaks detect --source .

Baseline known findings

If the repo has historical secrets that have been rotated, create a baseline so future scans only flag new leaks:

gitleaks detect --source . --report-path .gitleaks-baseline.json
gitleaks detect --source . --baseline-path .gitleaks-baseline.json

Pre-commit hook

Add to

.pre-commit-config.yaml

- id: gitleaks
  name: gitleaks
  entry: gitleaks detect --no-banner --no-git -s .
  language: system
  pass_filenames: false

.gitleaks.toml

Config file at the project root for allowlists. Use path exclusions, not fingerprints — fingerprints break when line numbers shift:

[allowlist]
paths = [
    "evals/baselines/.*",
    "tests/fixtures/.*",
]

Constraints

Never commit
```
.env
```
, credentials, or API keys — even to private repos
If gitleaks blocks a commit, fix the leak. Don't bypass with
```
--no-verify
```
.
Different gitleaks versions detect different patterns. If local passes but CI fails, check version mismatch.