# security-audit > Automated security scanning and safe public repository workflows for the Second Brain project. - Author: Brennan Wilkerson - Repository: Brennan-Wilkerson/second-brain-public - Version: 20251221175750 - Stars: 0 - Forks: 0 - Last Updated: 2026-02-07 - Source: https://github.com/Brennan-Wilkerson/second-brain-public - Web: https://mule.run/skillshub/@@Brennan-Wilkerson/second-brain-public~security-audit:20251221175750 --- # Security Audit Skill Automated security scanning and safe public repository workflows for the Second Brain project. ## Description This skill provides comprehensive security auditing capabilities to prevent credential leaks and ensure safe public repository sharing. It orchestrates multiple security tools (Gitleaks, Trufflehog) and provides guided workflows for credential rotation and public syncing. ## Capabilities ### 1. Pre-Commit Scan Quick security scan before committing changes. - **Command**: `/security-audit pre-commit` - **What it does**: Scans staged files for secrets - **Use when**: Before every commit (automated via git hook) ### 2. Pre-Push Scan Comprehensive scan before pushing to remote. - **Command**: `/security-audit pre-push` - **What it does**: Scans entire push range for secrets - **Use when**: Before pushing to origin or public remote ### 3. Full Security Audit Complete multi-tool security audit. - **Command**: `/security-audit full` - **What it does**: - Runs Gitleaks on entire history - Runs Trufflehog verification scan - Checks .gitignore coverage - Scans git history for leaked secrets - **Use when**: Before major releases, monthly audits, or before making repo public ### 4. Credential Rotation Guided credential rotation workflow. - **Command**: `/security-audit rotate` - **What it does**: Step-by-step guide for rotating exposed credentials - **Use when**: After security incident or quarterly maintenance ### 5. Safe Public Sync Audit and sync to public repository. - **Command**: `/security-audit sync-public` - **What it does**: - Runs full security audit - Shows diff between private and public repos - Confirms before pushing - Pushes to public remote if all checks pass - **Use when**: Ready to share code publicly ## Tools The skill uses these wrapper scripts for security tools: - **run-gitleaks.sh**: Gitleaks scanner wrapper - **run-trufflehog.sh**: Trufflehog scanner wrapper - **check-gitignore.sh**: Verifies .gitignore coverage - **scan-history.sh**: Git history scanner for secrets ## Installation This skill is already installed. The git hooks are configured to use these workflows. ## Security Features **Multi-Layer Protection:** 1. Local git hooks (pre-commit, pre-push) 2. Gitleaks secret detection 3. Trufflehog verification 4. GitHub Secret Scanning (CI/CD) 5. Dependabot vulnerability scanning **Coverage:** - ✅ API keys (Supabase, Anthropic, OpenAI, Ref, etc.) - ✅ OAuth credentials (Google, GitHub) - ✅ JWT tokens - ✅ Database passwords - ✅ Private keys and certificates - ✅ Email addresses in code - ✅ Hardcoded credentials ## Examples ### Quick pre-commit check ```bash /security-audit pre-commit ``` ### Full audit before going public ```bash /security-audit full ``` ### Sync to public repository ```bash /security-audit sync-public ``` ### Rotate compromised credentials ```bash /security-audit rotate ``` ## Configuration The skill respects: - `.gitleaks.toml` - Gitleaks configuration - `.gitignore` - Files to ignore - Git hooks in `.git/hooks/` ## Troubleshooting **If scan reports false positives:** - Add patterns to `.gitleaks.toml` allowlist - Update `.gitignore` to exclude generated files **If credential found:** 1. DO NOT commit 2. Run `/security-audit rotate` for guidance 3. Remove credential from code 4. Use environment variables 5. Add to .gitignore if in file **If push blocked:** 1. Review the detected secret 2. If false positive: update allowlist 3. If real secret: remove it, rotate credential 4. Never use `--no-verify` to bypass ## Related Documentation - `SECURITY.md` - Security policies and incident response - `.github/SECURITY_CHECKLIST.md` - Manual security checklist - `docs/SECURITY_PRACTICES.md` - Ongoing security procedures - `.gitleaks.toml` - Secret detection rules ## Version **v1.0.0** - Initial release (2025-12-21) --- **⚠️ IMPORTANT**: This skill is critical security infrastructure. Do not disable or bypass without understanding the implications.