Multi-layered secret detection — pre-commit hooks, CI gates, and audit workflows to prevent credential leaks in your repositories.
Cyber_Stip provides a defense-in-depth approach to secret management:
- Local Gate — Pre-commit hook that blocks secrets at commit time
- CI Gate — GitHub Actions workflow that runs on every push/PR
- CI Audit — Full history scan on a schedule or manual trigger
- Baseline Management — Suppress known false positives
| Rule | Targets |
|---|---|
| Database connection strings | PostgreSQL, MySQL, MongoDB, Redis, SQL Server, JDBC |
| API credentials | Custom API keys, Bearer tokens, npm tokens, NuGet keys |
| Cloud/Infrastructure | SSH URIs with credentials, Private keys (RSA, DSA, EC, OpenSSH, PGP) |
| Webhooks | Slack webhook URLs |
| Environment files | .env files with password/secret/token assignments |
| Generic patterns | Connection strings, authorization headers |
| Layer | Tool | When |
|---|---|---|
| 🛑 Pre-commit hook | Gitleaks | Before every local commit |
| 🔍 CI Gate | Gitleaks | On every push and PR |
| 📋 CI Audit | Gitleaks + TruffleHog | Scheduled (weekly) or manual |
| 📊 CI Health | Custom checks | Monitors config validity |
| 🗂️ Baseline | .baseline.json |
Suppress known/historical findings |
| Tool | Purpose |
|---|---|
| Gitleaks | Git-based secret scanning (default + custom rules) |
| TruffleHog | Deep content scanning for secrets |
| pre-commit | Local git hook framework |
| GitHub Actions | CI/CD pipeline integration |
- Python 3.8+ — Download Python
- Git — Download Git
- Gitleaks — The init script can auto-install it, or download manually
git clone https://github.com/akankwatsakevin0-ctrl/Cyber_Stip.git
cd Cyber_StipWindows (PowerShell as Administrator):
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser # If needed
.\init-cyber-stip.ps1Linux/macOS:
chmod +x init-cyber-stip.sh
./init-cyber-stip.shThe init script automates everything:
| Step | Action |
|---|---|
| 1 | Checks Python is installed |
| 2 | Installs pre-commit via pip (if missing) |
| 3 | Downloads and installs Gitleaks (Windows only; Linux/macOS users install separately) |
| 4 | Validates that all config files exist (.gitleaks.toml, .pre-commit-config.yaml, .gitleaksignore) |
| 5 | Initializes git repo (if not already one) |
| 6 | Installs pre-commit hooks into .git/hooks/ |
| 7 | Generates an initial .baseline.json to suppress known historical findings |
Test the hook by trying to commit a fake secret:
echo "password = \"supersecret123\"" > test.txt
git add test.txt
git commit -m "test"
# ⛔ Should be BLOCKED by Gitleaks with a warning
# Clean up test file
rm test.txtIf the commit was blocked — Cyber_Stip is active! 🎉
To use these secret scanning rules in another project:
# Copy the config files to your repo
cp /path/to/Cyber_Stip/.gitleaks.toml /your/repo/
cp /path/to/Cyber_Stip/.pre-commit-config.yaml /your/repo/
cp /path/to/Cyber_Stip/.gitleaksignore /your/repo/
# Copy the GitHub workflows
mkdir -p /your/repo/.github/workflows
cp /path/to/Cyber_Stip/.github/workflows/* /your/repo/.github/workflows/
# Install the pre-commit hook
cd /your/repo
pre-commit installCyber_Stip/
├── .github/workflows/
│ ├── cyber_stip_gate.yml # CI gate on push/PR
│ ├── cyber_stip_audit.yml # Full history audit
│ ├── cyber_stip_baseline.yml # Baseline management
│ └── cyber_stip_health.yml # Config health check
├── .gitleaks.toml # Custom Gitleaks rules
├── .gitleaksignore # Suppressed findings
├── .pre-commit-config.yaml # Pre-commit hook config
├── init-cyber-stip.ps1 # Windows setup script
├── init-cyber-stip.sh # Unix setup script
└── .gitignore
| Workflow | Trigger | Action |
|---|---|---|
| Gate | push, pull_request |
Scans new/changed commits; fails if secrets found |
| Audit | schedule (weekly), workflow_dispatch |
Full history scan with TruffleHog + Gitleaks |
| Baseline | workflow_dispatch |
Regenerates .baseline.json |
| Health | push (config changes), schedule |
Validates config files and tool versions |
Add your own detection patterns in .gitleaks.toml:
[[rules]]
id = "my-custom-rule"
description = "Description of what this detects"
regex = '''your-regex-pattern'''
secretGroup = 1
entropy = 3.5
keywords = ["keyword1", "keyword2"]
tags = ["custom", "tag"]