🔒 Secret Push Block for GitHub

Prevent accidental secret exposure and maintain clean git history with automated pre-commit hooks and Claude Code integration.

Features

• 🚫 Block Secrets - Automatically detects and blocks hardcoded API keys, passwords, and tokens
• 📁 Block .env Files - Prevents .env, .env.local, .env.production from being committed
• 🔑 Pattern Detection - Recognizes AWS keys, GitHub tokens, OpenAI keys, and more
• 🤖 Clean Commits - Blocks AI/Claude references in commit messages
• 🛡️ Pre-push Guard - Final check scans ALL commits for AI contributor references before push
• 🌐 Global Install - One command to protect ALL your git repos
• ⚡ Claude Code Skill - Integrates with Claude Code for automatic enforcement

What Gets Blocked

Sensitive Files

• .env, .env.local, .env.production, .env.development
• *.pem, *.key, *.p12, *.pfx, *.jks
• credentials.json, service-account.json
• secrets.yaml, secrets.json

Secret Patterns

Pattern	Example
AWS Access Keys	AKIA1234567890ABCDEF
GitHub Tokens	ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
OpenAI Keys	sk-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Slack Tokens	xoxb-xxxx-xxxx-xxxx
Private Keys	-----BEGIN PRIVATE KEY-----
Generic Secrets	api_key = "actual-secret-value"

Commit Message Blocks

• "Claude", "Anthropic", "ChatGPT", "OpenAI"
• "AI-generated", "AI-assisted"
• "Co-Authored-By: Claude"

Installation

Quick Install — Global (Recommended)

Protects ALL your git repos with one command:

git clone https://github.com/Muminur/secret-push-block-github.git
bash secret-push-block-github/install.sh --global

This sets git config --global core.hooksPath to ~/.git-hooks/, so every repo on your machine gets protected automatically.

Quick Install — Per Project

git clone https://github.com/Muminur/secret-push-block-github.git
cd /path/to/your/project
bash /path/to/secret-push-block-github/install.sh

# Windows PowerShell
cd C:\path\to\your\project
powershell -ExecutionPolicy Bypass -File C:\path\to\secret-push-block-github\install.ps1

Manual Installation

1. Install Claude Code Skill (Global)

# macOS/Linux
mkdir -p ~/.claude/commands
cp claude-skill/github-guardrails.md ~/.claude/commands/

# Windows (PowerShell)
mkdir -Force "$env:USERPROFILE\.claude\commands"
copy claude-skill\github-guardrails.md "$env:USERPROFILE\.claude\commands\"

2. Install Git Hooks

Global (all repos):

mkdir -p ~/.git-hooks
cp hooks/pre-commit hooks/commit-msg hooks/pre-push ~/.git-hooks/
chmod +x ~/.git-hooks/pre-commit ~/.git-hooks/commit-msg ~/.git-hooks/pre-push
git config --global core.hooksPath ~/.git-hooks

Per project (Husky):

cp hooks/pre-commit hooks/commit-msg hooks/pre-push .husky/
chmod +x .husky/pre-commit .husky/commit-msg .husky/pre-push

Per project (standard Git):

cp hooks/pre-commit hooks/commit-msg hooks/pre-push .git/hooks/
chmod +x .git/hooks/pre-commit .git/hooks/commit-msg .git/hooks/pre-push

Usage

Once installed, the hooks run automatically:

Example: Blocked Secret

$ echo 'const API_KEY = "sk-1234567890abcdef";' > config.ts
$ git add config.ts
$ git commit -m "add config"

🔒 Running security checks...

❌ ERROR: Potential hardcoded secrets detected!

Suspicious lines:
+const API_KEY = "sk-1234567890abcdef";

ℹ️  If these are env var references (process.env.X), they are SAFE.
ℹ️  If these are actual secret values, remove them immediately!

Example: Blocked .env File

$ git add .env.local
$ git commit -m "add env"

🔒 Running security checks...

❌ ERROR: Environment file(s) detected in staging!

Files blocked:
.env.local

Fix: Remove with 'git reset HEAD <file>'

Example: Blocked AI Reference in Commit

$ git commit -m "feat: add feature (Claude helped)"

❌ ERROR: Commit message contains forbidden AI references!

Your message:
  feat: add feature (Claude helped)

Fix: Rewrite commit message without AI references.

Example: Blocked AI Contributor on Push

$ git push origin main

🔒 Running pre-push checks...

❌ ERROR: AI/Claude references found in commits being pushed!

Violations:
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Fix: Rewrite commit messages to remove AI references.

Example: Successful Commit

$ echo 'const apiKey = process.env.API_KEY;' > config.ts
$ git add config.ts
$ git commit -m "feat(config): add API key from environment"

🔒 Running security checks...
✅ Security checks passed.
✅ Commit message check passed.
[main abc1234] feat(config): add API key from environment

Safe Patterns (Not Blocked)

These patterns are recognized as safe:

// ✅ Environment variable reference
const apiKey = process.env.API_KEY;

// ✅ Validation schema
const schema = z.object({
  API_KEY: z.string().min(1),
});

// ✅ Placeholder in .env.example
API_KEY=your-api-key-here

// ✅ Type definition
interface Config {
  apiKey: string;
}

Claude Code Integration

The skill file (github-guardrails.md) teaches Claude Code to:

1. Always scan for secrets before any git operation
2. Block dangerous commits automatically
3. Suggest fixes when issues are detected
4. Never mention AI in commit messages

Claude Code will follow these rules in every session where the skill is installed.

File Structure

secret-push-block-github/
├── hooks/
│   ├── pre-commit      # Scans for secrets and .env files
│   ├── commit-msg      # Blocks AI references in commits
│   └── pre-push        # Final guard — scans all commits before push
├── claude-skill/
│   └── github-guardrails.md  # Claude Code skill file
├── install.sh          # Bash installer (supports --global)
├── install.ps1         # PowerShell installer (Windows)
└── README.md           # This file

Emergency: Already Pushed Secrets?

If you accidentally pushed secrets:

1. Rotate credentials immediately - Consider them compromised
2. Remove from history:

   git filter-branch --force --index-filter \
     "git rm --cached --ignore-unmatch <file>" \
     --prune-empty --tag-name-filter cat -- --all
   git push origin --force --all

3. Use BFG Repo-Cleaner for large repos

Customization

Add Custom Patterns

Edit hooks/pre-commit to add your own patterns:

# Add custom pattern check
CUSTOM_CHECK=$(git diff --cached -U0 | grep -E "my-company-secret-pattern" || true)
if [ -n "$CUSTOM_CHECK" ]; then
  echo "ERROR: Custom secret pattern detected!"
  exit 1
fi

Whitelist Files

Add exceptions for specific files:

# Skip check for specific file
if git diff --cached --name-only | grep -q "allowed-file.ts"; then
  echo "Skipping check for allowed-file.ts"
fi

Troubleshooting

Hook not running?

# Check if hook is executable
ls -la .git/hooks/pre-commit
chmod +x .git/hooks/pre-commit

False positive?

If a safe pattern is being blocked, the hook shows guidance:

ℹ️  If these are env var references (process.env.X), they are SAFE.

You can bypass once with:

git commit --no-verify -m "message"  # Use sparingly!

Contributing

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Test the hooks locally
5. Submit a pull request

License

MIT License - Feel free to use in your projects.

Related

• git-secrets - AWS Labs secret scanner
• truffleHog - Secret scanning tool
• gitleaks - SAST tool for detecting secrets