feat: add /secrets-scan skill and pre-ship gate (Step 3.48)#623
Open
Paebak wants to merge 1 commit intogarrytan:mainfrom
Open
feat: add /secrets-scan skill and pre-ship gate (Step 3.48)#623Paebak wants to merge 1 commit intogarrytan:mainfrom
Paebak wants to merge 1 commit intogarrytan:mainfrom
Conversation
Adds a new `/secrets-scan` skill that scans the branch diff and git history for hardcoded secrets before code ships. - New `secrets-scan/SKILL.md` + `SKILL.md.tmpl` — standalone skill covering 6 phases: scope detection, diff scan, history scan, confidence scoring, remediation guidance, and gate logic - Detects AWS keys, GitHub tokens, Slack tokens, OpenAI keys, Google API keys, JWT tokens, private keys, and generic key/secret/password patterns with entropy-based confidence scoring - Auto-filters false positives: env var references, placeholders, test fixtures, and comments - New `Step 3.48` in `/ship` — loads and runs secrets-scan inline between plan verification (3.47) and pre-landing review (3.5) - Gate blocks shipping on high-confidence findings with AskUserQuestion; false positive overrides are logged Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Working in threat detection and log management at a Fortune 100 company — processing petabytes of data daily across a large enterprise environment — one pattern shows up constantly: teams shipping code with hardcoded credentials. It's one of the most common and most preventable incident triggers. You see it in git history audits, in SIEM alerts firing on leaked tokens, in post-incident reviews. The fix is almost always the same: the developer didn't have a fast, in-context check that caught it before the push.
gstack ships fast. That's the whole point. This PR adds a lightweight secrets gate so speed doesn't come at the cost of a credential leak.
What's in this PR
New skill:
/secrets-scanA standalone skill (
secrets-scan/SKILL.md) that scans the branch diff and git history for hardcoded secrets before code lands. Six phases:/ship, blocks withAskUserQuestionor passes silentlyAuto-filters false positives:
process.env.references,${VAR}interpolations, placeholder strings (your-key-here,CHANGEME,xxxx), test fixture paths, and comments./shipStep 3.48Inserts the secrets scan gate between Step 3.47 (plan verification) and Step 3.5 (pre-landing review). Loads
/secrets-scaninline — same pattern as the existing plan verification step. Adds a## Secrets Scansection to the PR body.If the skill file is missing, the gate skips gracefully and logs the reason.
Test plan
/secrets-scanruns standalone on a branch with no secrets — prints CLEAR/secrets-scandetects a hardcodedAKIA...AWS key in a diff — surfaces with CRITICAL finding/secrets-scanignoresprocess.env.API_KEYand${TOKEN}references — no false positive/shipruns Step 3.48 and passes through cleanly on a clean branch/shipStep 3.48 blocks and showsAskUserQuestionwhen a finding >= 60 confidence is foundsecrets-scan/SKILL.mdis not installed🤖 Generated with Claude Code