security-leak-guardrails
Security Leak Guardrails
Reusable workflow for preventing secrets from entering git and for continuously scanning a repo for leaks.
Quick start
- Inventory existing security tooling (gitleaks/trufflehog, hooks, workflows, dependabot).
- Add forbidden-path checks and the hook script.
- Add gitleaks config and a local security check script.
- Add CI secret scanning and Dependabot.
- Update .gitignore and document the policy.
Workflow
Step 1: Inventory
- Check for existing .gitleaks.toml, .github/workflows/secret, dependabot.yml, and hook tooling.
- If the repo already uses hooks (husky/lefthook/pre-commit), integrate instead of replacing.
Step 2: Forbidden paths + hook
More from regenrek/agent-skills
hard-cut
Enforce a hard-cut cleanup policy: keep one canonical implementation and delete compatibility, migration, fallback, adapter, coercion, and dual-shape code. Use for pre-release or internal-draft refactors where the goal is one final shape, especially when changing schemas, contracts, persisted state, routing, configuration, feature flags, enum/value sets, or architecture.
16root-cause-finder
Performs root-cause-first debugging and review by tracing expected behavior to the first unintended side effect before changing contracts, parsing, or types. Use when debugging protocol errors, deserialization failures, null payloads, missing fields, restore or hydration issues, state-ownership bugs, unexpected requests, background mutations, or reviewing junior-created code where the visible failure may be downstream noise.
7consolidate-test-suites
Decide exactly where bug-fix test coverage belongs. Use before adding, moving, or deleting tests after a bug fix or architectural change. Select one owning layer, reuse existing canonical suites, block redundant or weakly placed tests, and remove weaker duplicates.
7find-duplicate-ownership
Find duplicate ownership, hidden second sources of truth, and contract drift in layered codebases. Use when reviewing normalization, validation, defaulting, canonicalization, persistence mapping, runtime-vs-durable state, duplicated helpers, query or cache ownership, or any "who owns this rule?" architecture question. Especially useful for SSOT audits across frontend, backend, shared core, and adapter layers, and when the user explicitly asks for duplicate-ownership exploration with subagents.
5git-safe-workflow
Safely inspect, stage, commit, and (only if asked) push changes made by an AI agent. Use for commit/push requests, end-of-task checkpoints, merge conflict resolution, worktree safety checks, or deciding whether to use git commit --amend.
4shellck
Run shellcheck on shell scripts after editing scripts or when debugging shell errors. Use for linting scripts in a repo (especially scripts/), catching issues like set -u with unset vars, bad subshell usage, or quoting mistakes.
3