ACE - Git Secrets

Scan, revoke, and remove leaked credentials from Git history before they cause damage. ACE Logo

Gem Version Ruby License: MIT

Works with: Claude Code, Codex CLI, OpenCode, Gemini CLI, pi-agent, and more.

Getting Started | Usage Guide | Handbook - Skills, Agents, Templates

ace-git-secrets demo

ace-git-secrets gives developers and coding agents a focused remediation loop for leaked credentials: detect exposure with gitleaks-backed scanning, revoke impacted tokens by provider, and safely clean repository history with dry-run-first safeguards.

How It Works

  1. Scan commits with gitleaks-backed detection and capture a reusable saved report for remediation workflows.
  2. Revoke high-confidence findings from the saved scan report using provider-aware revocation flows.
  3. Preview history rewrites with --dry-run, execute cleanup when ready, then gate releases with check-release.

Use Cases

Detect leaked credentials in Git history - run ace-git-secrets to scan commits and capture a reusable JSON report for remediation. Use the as-git-security-audit agent workflow for a guided audit.

Revoke exposed tokens by provider - use the as-git-token-remediation workflow to revoke high-confidence findings from the saved scan report for GitHub PATs and other supported token classes before any history rewrites.

Clean history safely with dry-run-first safeguards - preview rewrite changes with ace-git-secrets rewrite-history --dry-run, execute cleanup when ready, then block release pipelines if secrets are still present.

Coordinate with git workflow tools - pair with ace-bundle for loading remediation workflows, ace-git for repository context before cleanup, and ace-git-commit for follow-up commits after remediation work.

Testing Contract

ace-git-secrets uses the restarted package testing model:

  • ace-test ace-git-secrets runs deterministic package tests (test/fast).
  • ace-test ace-git-secrets feat is reserved for deterministic feature-layer tests (test/feat) when present.
  • ace-test-e2e ace-git-secrets runs retained workflow scenarios (test/e2e).

Getting Started | Usage Guide | Handbook - Skills, Agents, Templates | Part of ACE