TL;DR
These prompts help you set up automated secret scanning at multiple levels: pre-commit hooks to catch secrets before they're committed, GitHub Actions for CI/CD checks, and repository settings for continuous monitoring. This layered approach catches credentials before they become a problem.
Pre-Commit Hook Setup
Copy this prompt to configure pre-commit hooks that block secrets before they ever reach git history. Your AI will set up detect-secrets, gitleaks, or truffleHog with custom patterns, false-positive allowlisting, and team onboarding documentation.
Pre-Commit Hooks Setup
Set up pre-commit hooks to scan for secrets before any commit.
I want to use a tool like:
- detect-secrets (Python, very thorough)
- gitleaks (Go, fast)
- truffleHog (Python, checks git history too)
Please:
- Create the pre-commit configuration file
- Add common secret patterns to detect
- Set up allowlisting for false positives
- Add installation instructions for team members
- Make it work on both Mac and Linux
The hook should:
- Block commits containing potential secrets
- Show clear error messages about what was detected
- Provide a way to allowlist false positives
- Be fast enough to not slow down development
Also create documentation for the team on how to use it.
GitHub Actions Secret Scanning
Use this prompt to create a GitHub Actions workflow that scans every PR and push for leaked secrets. Your AI will generate the workflow YAML, a gitleaks configuration file, and documentation for handling detected secrets.
GitHub Actions Scanner
Create a GitHub Actions workflow that scans for secrets on every PR and push.
Requirements:
- Run on all pull requests and pushes to main
- Use gitleaks or similar tool
- Scan only changed files for PRs (faster)
- Scan entire repo on main branch pushes
- Fail the CI if secrets are detected
- Output results in a clear format
The workflow should:
- Not block legitimate commits (handle false positives)
- Run quickly (under 2 minutes for typical repos)
- Support a configuration file for custom rules
- Send notifications on failures
Create:
- .github/workflows/secret-scan.yml
- .gitleaks.toml with project-specific configuration
- Documentation on how to handle detected secrets
GitHub Built-in Secret Scanning
This prompt asks your AI to walk you through enabling GitHub's native secret scanning and push protection. You'll get step-by-step instructions for repository settings, alert management, and custom pattern configuration.
Enable GitHub Secret Scanning
Help me enable and configure GitHub's built-in secret scanning.
I need to know:
- How to enable secret scanning in repository settings
- What types of secrets GitHub detects automatically
- How to view and manage alerts
- How to configure push protection (block commits with secrets)
- How GitHub notifies service providers when their tokens are found
Also explain:
- Is this free for my repository type (public/private)?
- What's the difference between secret scanning and push protection?
- How do I handle false positives?
- Can I add custom secret patterns?
Give me step-by-step instructions to enable all available protections.
Custom Pattern Detection
Copy this prompt to create custom detection rules for your company's internal API key formats and service-specific credentials. Your AI will generate regex patterns optimized for low false positives, formatted for both gitleaks.toml and pre-commit config.
Custom Secret Patterns
Create custom secret detection patterns for my project.
I need to detect:
- Internal API keys with our company's format
- Database connection strings for our specific services
- Custom authentication tokens
- Service-specific credentials
For each pattern:
- Create a regex that matches it
- Minimize false positives
- Add to both pre-commit and CI configurations
- Document what each pattern detects
Also create patterns to avoid false positives:
- Test/example values
- Documentation references
- Placeholder strings
Format the output for both gitleaks.toml and pre-commit config.
Layer your defenses: Use both pre-commit hooks (prevents commits) and CI scanning (catches anything that slips through). Pre-commit hooks can be skipped with --no-verify, so CI is your safety net.
Scan Existing Repository
Use this prompt to audit your entire repository, including git history, for secrets that may have been committed in the past. Your AI will generate a prioritized report with remediation steps for each finding.
Full Repo Scan
Help me scan my existing repository for secrets that may have been committed in the past.
I need to:
- Scan all current files for secrets
- Scan the entire git history for past secrets
- Generate a report of findings
- Prioritize by severity (live keys vs test keys)
For any secrets found:
- Identify when they were committed
- Check if they're still present in current code
- Determine if they're in the git history only
- Recommend remediation steps
After the scan:
- List all secrets that need rotation
- Show which files in history need cleaning
- Provide commands to clean git history if needed
Pro tip: After setting up scanning, do a full audit of your repository history. Many secrets are committed early in a project and forgotten. Use tools like truffleHog or gitleaks with history scanning enabled.
What is secret scanning?
Secret scanning automatically detects credentials, API keys, and other secrets in your code. It can run as a pre-commit hook, in CI/CD, or as a service that monitors your repository.
Is GitHub secret scanning free?
Yes for public repositories. For private repositories, GitHub secret scanning is available with GitHub Advanced Security, which requires a paid plan.
What's the difference between pre-commit hooks and CI scanning?
Pre-commit hooks run locally before you commit, preventing secrets from ever entering git history. CI scanning runs after commits and catches anything that slipped through. Both are recommended.
Scan Your Repository Now
Don't wait to set up scanning. Check your repo for exposed secrets immediately.