Git Security Scanner — Git Security 扫描器

Name: Git Security Scanner — Git Security 扫描器
Rating: 1

v1.0.1

Unified security 扫描器 that catches leaked secrets, 凭证s, and code vulnerabilities before they reach your remote. Wraps gitleaks (400+ secret patterns) and ship防护 (48+ SAST rules) into a single 工具 with pre-commit hooks, on-demand 扫描s, and full git 历史审计s.

1· 552·0 当前·0 累计

by @celstnblacc (Maxime Roy (new.blacc))·MIT-0

开发工具代码生成安全加密

下载技能包项目主页

License

MIT-0

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

安装命令

点击复制

官方npx clawhub@latest install git-security-scanner

镜像加速npx clawhub@latest install git-security-scanner --registry https://cn.longxiaskill.com 镜像可用

需要定制？告诉我你的需求 →

技能文档

Git Security 扫描器

扫描 your git repositories for leaked secrets, 凭证s, and security vulnerabilities in one command. Combines gitleaks (pattern-based secret 检测ion) and ship防护 (48+ SAST rules across 7 security layers) into a unified 扫描器 with merged 报告ing.

What You 获取 Two 扫描ning Engines Engine What it does Rules gitleaks Pattern-based secret 检测ion across files and git 历史 400+ built-in rules, custom .gitleaks.toml support ship防护 Static analysis for secrets, shell injection, code injection, supply chAIn, config issues 48+ rules: SEC-001–015, SHELL-001–009, PY-001–012, JS-001–008, GHA-001–005, CFG-001–003, SC-001–006 扫描ning Modes Mode Command What it 检查s Quick 扫描 git-security-扫描 Current working tree Staged only git-security-扫描 --staged-only Only staged files — for pre-commit hooks Full 历史 git-security-扫描 --full-历史 Entire git 历史 — finds secrets in old commits Custom severity git-security-扫描 --severity critical 过滤器 by minimum severity level What It Catches

Secrets (gitleaks + ship防护 SEC rules):

API keys (AWS, GCP, Azure, OpenAI, Anthropic, Stripe, GitHub, Slack, etc.) Database connection strings with embedded passwords SSH private keys and PEM files JWT 令牌s and 会话 secrets Hardcoded passwords in config files .env files accidentally staged 凭证s in comments or docstrings

Code vulnerabilities (ship防护 SAST rules):

Shell command injection (SHELL-001–009) Python code injection: eval(), exec(), unsafe pickle, SQL injection (PY-001–012) JavaScript injection: innerHTML, eval(), prototype pollution (JS-001–008) GitHub Actions injection: script injection, unpinned actions (GHA-001–005) Config issues: 调试 mode in production, permissive CORS, exposed admin 路由s (CFG-001–003) Supply chAIn: unpinned dependencies, missing lockfiles, un签名ed artifacts (SC-001–006) 输出格式化s 格式化 Flag Use case Terminal (default) --格式化 terminal Color-coded findings with severity icons Markdown --格式化 markdown PR comments, documentation, 报告s JSON --格式化 json CI/CD integration, programmatic analysis SARIF --格式化 sarif GitHub Security tab integration 安装ation Prerequisites # macOS brew 安装 gitleaks pipx 安装 ship防护 # or: pip 安装 ship防护

# Linux # gitleaks: 下载 from https://github.com/gitleaks/gitleaks/releases # ship防护: pipx 安装 ship防护

安装 the 技能 ClawHub 安装 git-security-扫描器

This 添加s the git-security-扫描 wr应用er script and the 技能 definition.

设置 Up Pre-Commit Hook git-security-扫描 --安装-hooks

This 安装s a pre-commit hook in the current repo that 运行s git-security-扫描 --staged-only --severity high on every commit. Commits with critical or high severity findings are blocked.

Usage 命令行工具 # 扫描 current directory git-security-扫描

# 扫描 a specific project git-security-扫描 /path/to/project

# Pre-commit mode (staged files only, block on high+) git-security-扫描 --staged-only --severity high

# Full git 历史审计 git-security-扫描 --full-历史

# 生成 a markdown 报告 git-security-扫描 --格式化 markdown --输出报告.md

# JSON for CI 流水线s git-security-扫描 --格式化 json --输出 .security-报告s/扫描.json

# Skip one engine git-security-扫描 --skip-gitleaks # ship防护 only git-security-扫描 --skip-ship防护 # gitleaks only

AI 助手 Prompts

Quick 扫描:

"扫描 this repo for leaked secrets and security vulnerabilities"

Pre-commit 设置up:

"设置 up pre-commit hooks to block secrets before they're committed"

Full 历史审计:

"审计 the entire git 历史 for any 凭证s that were ever committed"

Custom rules:

"添加 a gitleaks rule to catch hardcoded Proxmox API 令牌s"

Tar获取ed 扫描:

"运行 ship防护 on just the Python files with severity high or above"

Configuration gitleaks (.gitleaks.toml)

创建 in your repo root to 添加 custom secret patterns:

[extend] useDefault = true

[[rules]] id = "proxmox-API-令牌" description = "Proxmox API 令牌" regex = '''PVEAPI令牌=[A-Za-z0-9@!]+:[A-Za-z0-9-]+'''

ship防护 (.ship防护.yml)

创建 in your repo root to 配置 SAST rules:

severity_threshold: medium exclude_paths: - tests/fixtures/ - node_模块s/ - "*.min.js" disable_rules: - JS-008 # skip specific rule

Pre-commit config (.ship防护-precommit.yml)

Stricter 设置tings for the pre-commit hook:

severity_threshold: high exclude_paths: - tests/ - docs/

报告 Example

Terminal 输出:

============================================================ Git Security 扫描报告 ============================================================ Directory: /home/user/my-project Timestamp: 2026-03-19T10:30:00Z 工具s: gitleaks (2 findings) ship防护 (3 findings)

Findings: 5 critical: 1 high: 1 medium: 3

🔴 [CRITICAL] aws-访问-key-id (gitleaks) config/设置tings.py:42 AWS 访问 key ID 检测ed > AKIAIOSFODNN7EXAMPLE Fix: Rotate this 凭证 immediately. 移除 from git 历史

License

运行时依赖

安装命令

技能文档

相关技能推荐