[{"data":1,"prerenderedAt":440},["ShallowReactive",2],{"blog-prompts/secret-scanning-setup":3},{"id":4,"title":5,"body":6,"category":415,"date":416,"dateModified":417,"description":418,"draft":419,"extension":420,"faq":421,"featured":419,"headerVariant":425,"image":426,"keywords":426,"meta":427,"navigation":428,"ogDescription":429,"ogTitle":426,"path":430,"readTime":426,"schemaOrg":431,"schemaType":432,"seo":433,"sitemap":434,"stem":435,"tags":436,"twitterCard":438,"__hash__":439},"blog/blog/prompts/secret-scanning-setup.md","Set Up Secret Scanning with AI Prompts",{"type":7,"value":8,"toc":405},"minimark",[9,16,21,24,88,92,95,155,159,162,208,212,215,272,282,286,289,343,352,374,393],[10,11,12],"tldr",{},[13,14,15],"p",{},"These prompts help you set up automated secret scanning at multiple levels: pre-commit hooks to catch secrets before they're committed, GitHub Actions for CI/CD checks, and repository settings for continuous monitoring. This layered approach catches credentials before they become a problem.",[17,18,20],"h2",{"id":19},"pre-commit-hook-setup","Pre-Commit Hook Setup",[13,22,23],{},"Copy this prompt to configure pre-commit hooks that block secrets before they ever reach git history. Your AI will set up detect-secrets, gitleaks, or truffleHog with custom patterns, false-positive allowlisting, and team onboarding documentation.",[25,26,28,31,34,47,50,68,71,85],"prompt-box",{"title":27},"Pre-Commit Hooks Setup",[13,29,30],{},"Set up pre-commit hooks to scan for secrets before any commit.",[13,32,33],{},"I want to use a tool like:",[35,36,37,41,44],"ul",{},[38,39,40],"li",{},"detect-secrets (Python, very thorough)",[38,42,43],{},"gitleaks (Go, fast)",[38,45,46],{},"truffleHog (Python, checks git history too)",[13,48,49],{},"Please:",[51,52,53,56,59,62,65],"ol",{},[38,54,55],{},"Create the pre-commit configuration file",[38,57,58],{},"Add common secret patterns to detect",[38,60,61],{},"Set up allowlisting for false positives",[38,63,64],{},"Add installation instructions for team members",[38,66,67],{},"Make it work on both Mac and Linux",[13,69,70],{},"The hook should:",[35,72,73,76,79,82],{},[38,74,75],{},"Block commits containing potential secrets",[38,77,78],{},"Show clear error messages about what was detected",[38,80,81],{},"Provide a way to allowlist false positives",[38,83,84],{},"Be fast enough to not slow down development",[13,86,87],{},"Also create documentation for the team on how to use it.",[17,89,91],{"id":90},"github-actions-secret-scanning","GitHub Actions Secret Scanning",[13,93,94],{},"Use this prompt to create a GitHub Actions workflow that scans every PR and push for leaked secrets. Your AI will generate the workflow YAML, a gitleaks configuration file, and documentation for handling detected secrets.",[25,96,98,101,104,124,127,141,144],{"title":97},"GitHub Actions Scanner",[13,99,100],{},"Create a GitHub Actions workflow that scans for secrets on every PR and push.",[13,102,103],{},"Requirements:",[51,105,106,109,112,115,118,121],{},[38,107,108],{},"Run on all pull requests and pushes to main",[38,110,111],{},"Use gitleaks or similar tool",[38,113,114],{},"Scan only changed files for PRs (faster)",[38,116,117],{},"Scan entire repo on main branch pushes",[38,119,120],{},"Fail the CI if secrets are detected",[38,122,123],{},"Output results in a clear format",[13,125,126],{},"The workflow should:",[35,128,129,132,135,138],{},[38,130,131],{},"Not block legitimate commits (handle false positives)",[38,133,134],{},"Run quickly (under 2 minutes for typical repos)",[38,136,137],{},"Support a configuration file for custom rules",[38,139,140],{},"Send notifications on failures",[13,142,143],{},"Create:",[51,145,146,149,152],{},[38,147,148],{},".github/workflows/secret-scan.yml",[38,150,151],{},".gitleaks.toml with project-specific configuration",[38,153,154],{},"Documentation on how to handle detected secrets",[17,156,158],{"id":157},"github-built-in-secret-scanning","GitHub Built-in Secret Scanning",[13,160,161],{},"This prompt asks your AI to walk you through enabling GitHub's native secret scanning and push protection. You'll get step-by-step instructions for repository settings, alert management, and custom pattern configuration.",[25,163,165,168,171,188,191,205],{"title":164},"Enable GitHub Secret Scanning",[13,166,167],{},"Help me enable and configure GitHub's built-in secret scanning.",[13,169,170],{},"I need to know:",[51,172,173,176,179,182,185],{},[38,174,175],{},"How to enable secret scanning in repository settings",[38,177,178],{},"What types of secrets GitHub detects automatically",[38,180,181],{},"How to view and manage alerts",[38,183,184],{},"How to configure push protection (block commits with secrets)",[38,186,187],{},"How GitHub notifies service providers when their tokens are found",[13,189,190],{},"Also explain:",[35,192,193,196,199,202],{},[38,194,195],{},"Is this free for my repository type (public/private)?",[38,197,198],{},"What's the difference between secret scanning and push protection?",[38,200,201],{},"How do I handle false positives?",[38,203,204],{},"Can I add custom secret patterns?",[13,206,207],{},"Give me step-by-step instructions to enable all available protections.",[17,209,211],{"id":210},"custom-pattern-detection","Custom Pattern Detection",[13,213,214],{},"Copy this prompt to create custom detection rules for your company's internal API key formats and service-specific credentials. Your AI will generate regex patterns optimized for low false positives, formatted for both gitleaks.toml and pre-commit config.",[25,216,218,221,224,238,241,255,258,269],{"title":217},"Custom Secret Patterns",[13,219,220],{},"Create custom secret detection patterns for my project.",[13,222,223],{},"I need to detect:",[51,225,226,229,232,235],{},[38,227,228],{},"Internal API keys with our company's format",[38,230,231],{},"Database connection strings for our specific services",[38,233,234],{},"Custom authentication tokens",[38,236,237],{},"Service-specific credentials",[13,239,240],{},"For each pattern:",[51,242,243,246,249,252],{},[38,244,245],{},"Create a regex that matches it",[38,247,248],{},"Minimize false positives",[38,250,251],{},"Add to both pre-commit and CI configurations",[38,253,254],{},"Document what each pattern detects",[13,256,257],{},"Also create patterns to avoid false positives:",[35,259,260,263,266],{},[38,261,262],{},"Test/example values",[38,264,265],{},"Documentation references",[38,267,268],{},"Placeholder strings",[13,270,271],{},"Format the output for both gitleaks.toml and pre-commit config.",[273,274,275],"warning-box",{},[13,276,277,281],{},[278,279,280],"strong",{},"Layer your defenses:"," Use both pre-commit hooks (prevents commits) and CI scanning (catches anything that slips through). Pre-commit hooks can be skipped with --no-verify, so CI is your safety net.",[17,283,285],{"id":284},"scan-existing-repository","Scan Existing Repository",[13,287,288],{},"Use this prompt to audit your entire repository, including git history, for secrets that may have been committed in the past. Your AI will generate a prioritized report with remediation steps for each finding.",[25,290,292,295,298,312,315,329,332],{"title":291},"Full Repo Scan",[13,293,294],{},"Help me scan my existing repository for secrets that may have been committed in the past.",[13,296,297],{},"I need to:",[51,299,300,303,306,309],{},[38,301,302],{},"Scan all current files for secrets",[38,304,305],{},"Scan the entire git history for past secrets",[38,307,308],{},"Generate a report of findings",[38,310,311],{},"Prioritize by severity (live keys vs test keys)",[13,313,314],{},"For any secrets found:",[51,316,317,320,323,326],{},[38,318,319],{},"Identify when they were committed",[38,321,322],{},"Check if they're still present in current code",[38,324,325],{},"Determine if they're in the git history only",[38,327,328],{},"Recommend remediation steps",[13,330,331],{},"After the scan:",[35,333,334,337,340],{},[38,335,336],{},"List all secrets that need rotation",[38,338,339],{},"Show which files in history need cleaning",[38,341,342],{},"Provide commands to clean git history if needed",[344,345,346],"tip-box",{},[13,347,348,351],{},[278,349,350],{},"Pro tip:"," After setting up scanning, do a full audit of your repository history. Many secrets are committed early in a project and forgotten. Use tools like truffleHog or gitleaks with history scanning enabled.",[353,354,355,362,368],"faq-section",{},[356,357,359],"faq-item",{"question":358},"What is secret scanning?",[13,360,361],{},"Secret scanning automatically detects credentials, API keys, and other secrets in your code. It can run as a pre-commit hook, in CI/CD, or as a service that monitors your repository.",[356,363,365],{"question":364},"Is GitHub secret scanning free?",[13,366,367],{},"Yes for public repositories. For private repositories, GitHub secret scanning is available with GitHub Advanced Security, which requires a paid plan.",[356,369,371],{"question":370},"What's the difference between pre-commit hooks and CI scanning?",[13,372,373],{},"Pre-commit hooks run locally before you commit, preventing secrets from ever entering git history. CI scanning runs after commits and catches anything that slipped through. Both are recommended.",[375,376,377,383,388],"related-articles",{},[378,379],"related-card",{"description":380,"href":381,"title":382},"Secure hardcoded credentials","/blog/prompts/fix-exposed-api-keys","Fix Exposed API Keys",[378,384],{"description":385,"href":386,"title":387},"Prevent secret commits","/blog/prompts/add-gitignore","Add Proper .gitignore",[378,389],{"description":390,"href":391,"title":392},"Emergency key rotation","/blog/prompts/rotate-credentials","Rotate Credentials",[394,395,398,402],"cta-box",{"href":396,"label":397},"/","Start Free Scan",[17,399,401],{"id":400},"scan-your-repository-now","Scan Your Repository Now",[13,403,404],{},"Don't wait to set up scanning. Check your repo for exposed secrets immediately.",{"title":406,"searchDepth":407,"depth":407,"links":408},"",2,[409,410,411,412,413,414],{"id":19,"depth":407,"text":20},{"id":90,"depth":407,"text":91},{"id":157,"depth":407,"text":158},{"id":210,"depth":407,"text":211},{"id":284,"depth":407,"text":285},{"id":400,"depth":407,"text":401},"prompts","2026-02-23","2026-03-06","AI prompts to configure secret scanning for your repository. Set up GitHub secret scanning, pre-commit hooks, and CI/CD checks to catch exposed credentials.",false,"md",[422,423,424],{"question":358,"answer":361},{"question":364,"answer":367},{"question":370,"answer":373},"cyan",null,{},true,"AI prompts to configure secret scanning and catch exposed credentials automatically.","/blog/prompts/secret-scanning-setup","[object Object]","BlogPosting",{"title":5,"description":418},{"loc":430},"blog/prompts/secret-scanning-setup",[437],"Automation","summary_large_image","uPbsWu4auUdI0txn04FofK9ZJEwamw5gHTLxfk5stX8",1775843938450]