git-safety
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseGit Safety Skill
Git安全技能
Comprehensive security scanning, cleaning, and prevention for git repositories.
针对Git代码仓库的全面安全扫描、清理与防护方案。
CRITICAL WARNING
重要警告
Removing secrets from git history does NOT make them safe!
Even after cleaning git history:
- GitHub is scraped by bots within seconds of a push
- Archive services may have captured snapshots
- Forks retain the original history
- CI/CD logs may contain the values
ALWAYS rotate leaked credentials immediately. Cleaning history is NOT enough.
从Git历史记录中移除机密信息并不代表它们就安全了!
即使清理了Git历史记录:
- GitHub会在推送后的几秒钟内被机器人抓取
- 归档服务可能已经捕获了快照
- 分支会保留原始历史记录
- CI/CD日志可能包含这些值
请立即轮换泄露的凭据。清理历史记录远远不够。
Modes of Operation
操作模式
1. /git-safety scan
- Detect Sensitive Files
/git-safety scan1. /git-safety scan
- 检测敏感文件
/git-safety scanScan repository for sensitive files in current state and git history.
扫描仓库当前状态和Git历史记录中的敏感文件。
2. /git-safety clean
- Remove from History
/git-safety clean2. /git-safety clean
- 从历史记录中移除
/git-safety cleanRemove sensitive files using git-filter-repo or BFG.
使用git-filter-repo或BFG移除敏感文件。
3. /git-safety prevent
- Set Up Prevention
/git-safety prevent3. /git-safety prevent
- 设置防护措施
/git-safety preventConfigure .gitignore and pre-commit hooks.
配置.gitignore和提交前钩子(pre-commit hooks)。
4. /git-safety full
- Complete Audit
/git-safety full4. /git-safety full
- 完整审计
/git-safety fullRun all three operations in sequence.
按顺序运行上述三项操作。
Sensitive File Patterns
敏感文件模式
.env, .env.*, credentials.json, service-account*.json
*.pem, *.key, id_rsa*, secrets.*, .npmrc, *.secret.env, .env.*, credentials.json, service-account*.json
*.pem, *.key, id_rsa*, secrets.*, .npmrc, *.secretQuick Commands
快速命令
Scan for sensitive files in history:
bash
git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'Remove .env from all history:
bash
git filter-repo --path .env --invert-paths --force
git push origin --force --allAdd to .gitignore:
bash
echo -e "\n.env\n.env.*\n*.pem\n*.key\ncredentials.json" >> .gitignore扫描历史记录中的敏感文件:
bash
git log --all --pretty=format: --name-only --diff-filter=A | sort -u | grep -iE 'env|secret|credential|key'从所有历史记录中移除.env:
bash
git filter-repo --path .env --invert-paths --force
git push origin --force --all添加到.gitignore:
bash
echo -e "\n.env\n.env.*\n*.pem\n*.key\ncredentials.json" >> .gitignoreEmergency Response
应急响应
If you've leaked credentials:
- IMMEDIATELY rotate the credential
- Check access logs
- Run
/git-safety clean - Force push cleaned history
- Notify team to re-clone
- Update .gitignore
- Set up pre-commit hooks
For complete scan commands, cleaning process with git-filter-repo/BFG, pre-commit hook setup, .gitignore templates, platform-specific guidance, and detailed emergency checklist, see:
references/full-guide.md如果您泄露了凭据:
- 立即轮换凭据
- 检查访问日志
- 运行
/git-safety clean - 强制推送清理后的历史记录
- 通知团队重新克隆仓库
- 更新.gitignore
- 设置提交前钩子
如需完整的扫描命令、使用git-filter-repo/BFG的清理流程、提交前钩子设置、.gitignore模板、平台专属指南以及详细的应急检查表,请查看:
references/full-guide.md