Git Safety Skill
Comprehensive security scanning, cleaning, and prevention for git repositories.
CRITICAL WARNING
Removing secrets from git history does NOT make them safe!
Even after cleaning git history:
GitHub is scraped by bots within seconds of a push Archive services may have captured snapshots Forks retain the original history CI/CD logs may contain the values
ALWAYS rotate leaked credentials immediately. Cleaning history is NOT enough.
Modes of Operation 1. /git-safety scan - Detect Sensitive Files
Scan repository for sensitive files in current state and git history.
- /git-safety clean - Remove from History
Remove sensitive files using git-filter-repo or BFG.
- /git-safety prevent - Set Up Prevention
Configure .gitignore and pre-commit hooks.
- /git-safety full - Complete Audit
Run all three operations in sequence.
Sensitive File Patterns .env, .env., credentials.json, service-account.json .pem, .key, id_rsa, secrets., .npmrc, *.secret
Quick Commands
Scan for sensitive files in history:
git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'
Remove .env from all history:
git filter-repo --path .env --invert-paths --force git push origin --force --all
Add to .gitignore:
echo -e "\n.env\n.env.\n.pem\n*.key\ncredentials.json" >> .gitignore
Emergency Response
If you've leaked credentials:
IMMEDIATELY rotate the credential Check access logs Run /git-safety clean Force push cleaned history Notify team to re-clone Update .gitignore Set up pre-commit hooks
For complete scan commands, cleaning process with git-filter-repo/BFG, pre-commit hook setup, .gitignore templates, platform-specific guidance, and detailed emergency checklist, see: references/full-guide.md