By name: secure-repo description: Use when asked to add secret scanning, install git hooks, protect against committing API keys/passwords/tokens, set up security for a repo, or after running git clone on a new repository. argument-hint: [repo-path]
Secure Repository - Secret Scanning Hooks
Installs git pre-commit hooks that scan for secrets before each commit.
MANDATORY: Version Check (Run on Skill Load)
CRITICAL: You MUST run this bash block when the skill is first loaded, before doing anything else.
# Check for skill updates
PLUGIN_JSON=$(ls -t ~/.claude/plugins/cache/alliance-plugins/git-safety/*/.claude-plugin/plugin.json 2>/dev/null | head -1)
INSTALLED_VERSION=$(grep -o '"version": "[^"]*"' "$PLUGIN_JSON" 2>/dev/null | cut -d'"' -f4)
LATEST_VERSION=$(curl -sf --max-time 3 https://raw.githubusercontent.com/alliance-genome/agr_claude_code/main/plugins/git-safety/.claude-plugin/plugin.json 2>/dev/null | grep -o '"version": "[^"]*"' | cut -d'"' -f4)
if [ -z "$LATEST_VERSION" ]; then
echo "Skill version: ${INSTALLED_VERSION} (could not check for updates)"
elif [ "$INSTALLED_VERSION" != "$LATEST_VERSION" ]; then
echo "*** UPDATE AVAILABLE *** Installed v${INSTALLED_VERSION}, latest v${LATEST_VERSION}"
echo "Run: /plugin marketplace update alliance-plugins"
else
echo "Skill version: ${INSTALLED_VERSION} (up to date)"
fi
Step 1: Check/Install Tools
First, check if the required tools are installed:
"${CLAUDE_PLUGIN_ROOT}/scripts/setup.sh"
If tools are missing, the script will show installation instructions.
Quick Install (macOS with Homebrew)
brew install gitleaks trufflehog
Quick Install (Linux)
Gitleaks:
GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep tag_name | cut -d'"' -f4)
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION#v}_linux_x64.tar.gz" | sudo tar -xz -C /usr/local/bin gitleaks
TruffleHog:
TRUFFLEHOG_VERSION=$(curl -s https://api.github.com/repos/trufflesecurity/trufflehog/releases/latest | grep tag_name | cut -d'"' -f4)
curl -sSL "https://github.com/trufflesecurity/trufflehog/releases/download/${TRUFFLEHOG_VERSION}/trufflehog_${TRUFFLEHOG_VERSION#v}_linux_amd64.tar.gz" | sudo tar -xz -C /usr/local/bin trufflehog
After installing, verify with:
gitleaks version && trufflehog --version
Step 2: Install Git Hooks
Once tools are installed, add the pre-commit hook to your repository.
To Current Repository
# Verify you're in a git repo
git rev-parse --show-toplevel
# Copy the pre-commit hook
cp "${CLAUDE_PLUGIN_ROOT}/scripts/pre-commit" .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit
# Verify installation
echo "Hook installed:" && ls -la .git/hooks/pre-commit
To a Specific Repository
# Replace REPO_PATH with the target directory
REPO_PATH="path/to/repo"
cp "${CLAUDE_PLUGIN_ROOT}/scripts/pre-commit" "${REPO_PATH}/.git/hooks/pre-commit"
chmod +x "${REPO_PATH}/.git/hooks/pre-commit"
What the Hook Does
On every git commit, the pre-commit hook:
- Gitleaks scan - Detects API keys, passwords, tokens, private keys
- TruffleHog scan - Detects AWS keys, Slack webhooks, other secrets
If either tool finds potential secrets, the commit is blocked.
Test the Hook
To verify the hook works, create a test file with a fake secret pattern:
# Generate a fake AWS-style key for testing (don't use real keys!)
echo 'AWS_KEY="AKIA'$(openssl rand -hex 8 | tr '[:lower:]' '[:upper:]')'"' > test-secret.txt
git add test-secret.txt
git commit -m "test" # Should be blocked!
# Clean up
git reset HEAD test-secret.txt
rm test-secret.txt
If a Commit is Blocked
- Review the findings - Check if it's a real secret or false positive
- Remove the secret - If real, remove it from the staged files
- For false positives - Add pattern to
.gitleaksignore
Bypass (Use With Extreme Caution)
Only after confirming a detection is a false positive:
git commit --no-verify