Git Security Scanner
Unified security scanner that catches leaked secrets, credentials, and code vulnerabilities before they reach your remote. Wraps gitleaks (400+ secret patterns) and shipguard (48+ SAST rules) into a single tool with pre-commit hooks, on-demand scans, and full git history audits.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/celstnblacc/git-security-scannerGit Security Scanner
Scan your git repositories for leaked secrets, credentials, and security vulnerabilities in one command. Combines gitleaks (pattern-based secret detection) and shipguard (48+ SAST rules across 7 security layers) into a unified scanner with merged reporting.
What You Get
Two Scanning Engines
| Engine | What it does | Rules |
|---|---|---|
| gitleaks | Pattern-based secret detection across files and git history | 400+ built-in rules, custom .gitleaks.toml support |
| shipguard | Static analysis for secrets, shell injection, code injection, supply chain, config issues | 48+ rules: SEC-001–015, SHELL-001–009, PY-001–012, JS-001–008, GHA-001–005, CFG-001–003, SC-001–006 |
Scanning Modes
| Mode | Command | What it checks |
|---|---|---|
| Quick scan | git-security-scan | Current working tree |
| Staged only | git-security-scan --staged-only | Only staged files — for pre-commit hooks |
| Full history | git-security-scan --full-history | Entire git history — finds secrets in old commits |
| Custom severity | git-security-scan --severity critical | Filter by minimum severity level |
What It Catches
Secrets (gitleaks + shipguard SEC rules):
- API keys (AWS, GCP, Azure, OpenAI, Anthropic, Stripe, GitHub, Slack, etc.)
- Database connection strings with embedded passwords
- SSH private keys and PEM files
- JWT tokens and session secrets
- Hardcoded passwords in config files
.envfiles accidentally staged- Credentials in comments or docstrings
Code vulnerabilities (shipguard SAST rules):
- Shell command injection (
SHELL-001–009) - Python code injection:
eval(),exec(), unsafe pickle, SQL injection (PY-001–012) - JavaScript injection:
innerHTML,eval(), prototype pollution (JS-001–008) - GitHub Actions injection: script injection, unpinned actions (
GHA-001–005) - Config issues: debug mode in production, permissive CORS, exposed admin routes (
CFG-001–003) - Supply chain: unpinned dependencies, missing lockfiles, unsigned artifacts (
SC-001–006)
Output Formats
| Format | Flag | Use case |
|---|---|---|
| Terminal (default) | --format terminal | Color-coded findings with severity icons |
| Markdown | --format markdown | PR comments, documentation, reports |
| JSON | --format json | CI/CD integration, programmatic analysis |
| SARIF | --format sarif | GitHub Security tab integration |
Installation
Prerequisites
# macOS
brew install gitleaks
pipx install shipguard # or: pip install shipguard
# Linux
# gitleaks: download from https://github.com/gitleaks/gitleaks/releases
# shipguard:
pipx install shipguard
Install the Skill
clawhub install git-security-scanner
This adds the git-security-scan wrapper script and the skill definition.
Set Up Pre-Commit Hook
git-security-scan --install-hooks
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-celstnblacc-git-security-scanner": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
Obsidian Semantic Search
Semantic search across your Obsidian vaults using local embeddings (Ollama + pgvector). 10 MCP tools: hybrid/semantic/keyword search, file CRUD, batch reads, live re-indexing, and a monitoring dashboard. Fully local — no API keys, no cloud, zero cost.
YouTube Model Feeder
Food for your model — extract transcripts, key frames, OCR, slides, and LLM summaries from YouTube videos into structured AI-ready knowledge.