Back to Details

secret-leak-check

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Secret & Privacy Leak Check Skill

密钥与隐私泄露检测Skill

Use this skill when reviewing repository changes for accidental exposure of sensitive data.
在审查仓库变更以排查敏感数据意外暴露问题时,可使用该Skill。

Skill Overview

Skill概述

This skill helps you detect:
  1. Traditional secrets (tokens, API keys, credentials, connection strings).
  2. Sensitive architecture details (database schema/internal topology details that should not be public).
  3. Privacy data (personal email addresses, phone numbers, real names).
  4. Leakage risks in commit messages.
  5. Git identity/privacy misconfiguration in open-source contexts.
本Skill可帮助您检测以下内容:
  1. 传统密钥(令牌、API密钥、凭证、连接字符串)。
  2. 敏感架构细节(不应公开的数据库架构/内部拓扑细节)。
  3. 隐私数据(个人邮箱地址、电话号码、真实姓名)。
  4. 提交消息中的泄露风险。
  5. 开源环境下Git身份/隐私配置错误。

Core Principles

核心原则

  1. Scope first, then rules: Determine scan scope before running pattern checks.
  2. Diff-first by default: Prioritize review of newly introduced risk.
  3. Context-aware checks: Apply open-source/GitHub-specific checks only when conditions match.
  4. Actionable results only: Report findings with severity, location, and remediation guidance.
  1. 先定范围,再执行规则:在运行模式检查前确定扫描范围。
  2. 默认优先对比差异:优先审查新引入的风险。
  3. 上下文感知检查:仅当条件匹配时,才应用开源/GitHub专属检查。
  4. 仅返回可执行结果:报告结果时需包含风险等级、位置和修复指导。

Workflow

工作流程

Step 1: Determine Scan Scope

步骤1:确定扫描范围

Use references/scope_selection.md.
Default behavior when user gives no explicit scope:
  1. Scan staged changes first (index vs 
    HEAD
    , e.g., 
    git diff --cached
    ).
  2. Then scan unstaged working tree changes (working tree vs index, e.g., 
    git diff
    ).
  3. If no staged changes exist, scan all modified and untracked files in the working tree.
If user explicitly asks to scan all commits in a PR, expand scope to:
  • Current staged diff (index vs 
    HEAD
    , if any).
  • Current unstaged/untracked working tree changes (working tree vs index, if any).
  • Every commit in the PR range, scanned commit-by-commit for leak content in diffs and commit messages.
If user explicitly asks to scan all files, ignore diff-only logic and scan the entire requested range. After scope is determined, build the concrete target file list. Do not report "full scan complete" unless all in-scope files satisfy both conditions.
If any files are excluded, list them explicitly with reason.
参考[references/scope_selection.md]。
当用户未指定明确范围时的默认行为:
  1. 优先扫描暂存的变更(索引与
    HEAD
    对比,例如
    git diff --cached
    )。
  2. 然后扫描未暂存的工作区变更(工作区与索引对比,例如
    git diff
    )。
  3. 如果没有暂存变更,则扫描工作区中所有已修改和未跟踪的文件。
如果用户明确要求扫描PR中的所有提交,则扩展扫描范围至:
  • 当前暂存差异(索引与
    HEAD
    对比,若存在)。
  • 当前未暂存/未跟踪的工作区变更(工作区与索引对比,若存在)。
  • PR范围内的每一个提交,逐次扫描差异和提交消息中的泄露内容。
如果用户明确要求扫描所有文件,则忽略仅差异逻辑,扫描指定范围内的全部内容。 确定范围后,构建具体的目标文件列表。仅当所有范围内的文件都满足条件时,才报告“完整扫描完成”。
若有文件被排除,需明确列出并说明原因。

Step 2: Apply Detection Rules by Data Category

步骤2:按数据类别应用检测规则

Use references/detection_rules.md.
Run category-specific checks for:
  • Secret tokens and API keys.
  • Credential-like material and high-risk config values.
  • Database schema/internal structure leakage.
  • PII and privacy data (email, phone, real name).
参考[references/detection_rules.md]。
针对以下类别运行专属检查:
  • 密钥令牌与API密钥。
  • 类凭证材料与高风险配置值。
  • 数据库架构/内部结构泄露。
  • PII与隐私数据(邮箱、电话、真实姓名)。

Step 3: Run Scenario-Specific Checks

步骤3:运行场景专属检查

Load only relevant references:
  • Diff/staging behavior: references/scenario_diff_and_staging.md
  • Full-repo/range behavior: references/scenario_full_scan.md
  • Commit message review: references/scenario_commit_messages.md
If the user does not explicitly disable it, also check commit messages in the active scan range. If user explicitly asks to scan all commits in a PR, commit message checks must cover each commit in that PR range.
仅加载相关参考文档:
  • 差异/暂存行为:[references/scenario_diff_and_staging.md]
  • 全仓库/范围行为:[references/scenario_full_scan.md]
  • 提交消息审查:[references/scenario_commit_messages.md]
若用户未明确禁用,还需检查当前扫描范围内的提交消息。 若用户明确要求扫描PR中的所有提交,提交消息检查必须覆盖该PR范围内的每一个提交。

Step 4: Validate Git Identity Privacy (Conditional)

步骤4:验证Git身份隐私(条件触发)

Use references/scenario_git_identity_privacy.md.
Rules:
  1. Only for open-source project scenario: check whether git config email may expose personal email.
  2. Only when the remote is GitHub: check whether a GitHub privacy email (
    <id>+<username>@users.noreply.github.com
    ) is used when privacy is desired.
参考[references/scenario_git_identity_privacy.md]。
规则:
  1. 仅针对开源项目场景:检查Git配置邮箱是否可能暴露个人邮箱。
  2. 仅当远程仓库为GitHub时:检查在需要隐私保护时是否使用了GitHub隐私邮箱(
    <id>+<username>@users.noreply.github.com
    )。

Step 5: Report Findings

步骤5:报告检测结果

Use references/reporting_template.md.
For each finding include:
  • Severity (
    critical
    /
    high
    /
    medium
    /
    low
    )
  • Category (
    secret
    /
    privacy
    /
    metadata
    )
  • Location (file path, diff hunk, or commit hash/message)
  • Why it is risky
  • Concrete remediation
参考[references/reporting_template.md]。
每一项检测结果需包含:
  • 风险等级(
    critical
    /
    high
    /
    medium
    /
    low
  • 类别(
    secret
    /
    privacy
    /
    metadata
  • 位置(文件路径、差异代码块或提交哈希/消息)
  • 风险原因
  • 具体修复建议

Response Template

响应模板

Scan Scope: [staged diff / working-tree-vs-HEAD / changed files / full scan / pr-all-commits]
Context Checks:
  • Open-source scenario: [yes/no]
  • GitHub remote detected: [yes/no]
Findings Summary:
  • Critical: [count]
  • High: [count]
  • Medium: [count]
  • Low: [count]
Findings:
  • [severity] [category] [location] — [risk] — [recommended fix]
Commit Message Review:
  • [result for checked commit range]
Git Identity Privacy Check:
  • [result and recommendation]
扫描范围:[暂存差异 / 工作区与HEAD对比 / 已修改文件 / 全量扫描 / PR所有提交]
上下文检查:
  • 开源场景:[是/否]
  • 检测到GitHub远程仓库:[是/否]
检测结果汇总:
  • 严重:[数量]
  • 高:[数量]
  • 中:[数量]
  • 低:[数量]
检测详情:
  • [风险等级] [类别] [位置] — [风险说明] — [建议修复方案]
提交消息审查结果:
  • [已检查提交范围的结果]
Git身份隐私检查结果:
  • [结果与建议]