GitGuardian

scan-secrets

Find hardcoded secrets in paths, staged changes, commits, full history, Docker images, and packages.

Use when: handling credentials, editing .env or CI files, preparing a commit or push, or auditing a repo.

Key rule: scan first, then remediate from structured findings.

create-honeytokens

Generate and place decoy AWS credentials.

Use when: planting decoys in .env.example, docs, runbooks, archived repos, or other attractive leak surfaces.

Key rule: plant where attackers look, not where engineers import.

scan-machine

Audit a whole developer machine for credentials across local repos, dotfiles, cloud CLI configs, shell history, AI agent caches, and abandoned project trees.

Use when: wiping, selling, returning, or auditing a developer machine.

Key rule: this is a broad endpoint scan and requires endpoint scanning on the GitGuardian workspace.

check-hmsl

Check known credentials against HasMySecretLeaked without exposing plaintext to the agent.

Use when: you already have a token, key, .env, vault inventory, or inherited credential list and want to know whether any value has appeared in indexed public leaks.

Key rule: user-run handoff only; the agent must not read or run against the credential file.

install-git-hooks

Install ggshield as a git pre-commit or pre-push hook so secrets are blocked before they enter history.

Use when: setting up secret prevention on a repo, asking to block or stop secrets from being committed or pushed, configuring pre-commit hooks, or hardening after a secret was caught.

Key rule: prevention only — guards future commits/pushes. Existing code and history still need scan-secrets. Global mode modifies global git config; get explicit consent.

triage-incidents

Read the secret incidents already detected in your GitGuardian dashboard, rank them by validity, severity, blast radius, and exposure, and drive remediation — rotation first, HMSL for unverifiable validity, history rewrite only when it earns its cost.

Use when: triaging or reviewing GitGuardian incidents, asking what's leaking in the org or what to fix first, remediating or rotating a credential flagged in an incident, responding to a Public Monitoring alert, or assigning/tagging/resolving incidents.

Key rule: the one MCP-first skill — it works through the GitGuardian Developer MCP server, not the ggshield CLI. Covers both internal and Public Monitoring incidents (non-interchangeable IDs). Never auto-resolves: writes are confirmation-gated and RESOLVED follows confirmed rotation.

Add this repo as a plugin marketplace, then install the gitguardian plugin:

/plugin marketplace add GitGuardian/agent-skills
/plugin install gitguardian