GitHub Push 安全推送工具：自动扫描密钥并生成 README

GitHub Push by alfredang/skills

1 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/alfredang/skills --skill 'GitHub Push'

开发自动化安全

🇨🇳中文介绍

GitHub Push

命令

/github-push 或 github-push

关键词

github push, git push, secret detection, api key scan, credential scan, security check, push to github, commit and push, secret scanner, readme generator, safe push, secure push, pre-push hook, leak detection, api key exposed, password exposed

描述

通过自动扫描暴露的密钥、API 密钥和凭据，安全地将代码推送到 GitHub。如果缺失，则自动生成 README.md，配置仓库描述、实时站点 URL、主题，并启用 GitHub Discussions。

执行

此技能使用 Claude Code 订阅计划 运行。请勿使用按量付费的 API 密钥。所有 AI 操作都应在具有活跃订阅的 Claude Code CLI 环境中执行。

响应

我将帮助您安全地推送到 GitHub！

工作流程包括：

步骤	描述
密钥扫描	检测暴露的 API 密钥、密码和凭据
文件审查	检查不应提交的敏感文件

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

阶段 1：密钥检测（强制）

在进行任何 Git 操作之前，扫描代码库以查找暴露的密钥。这是一个阻塞性要求——如果发现密钥，则不得继续。

1.1 扫描暂存文件

git diff --cached --name-only

1.2 密钥模式检测

扫描所有暂存文件以查找以下模式：

AKIA[0-9A-Z]{16}
aws_access_key_id\s*=\s*['"][A-Za-z0-9/+=]+['"]
aws_secret_access_key\s*=\s*['"][A-Za-z0-9/+=]+['"]

API 密钥（通用）

api[_-]?key\s*[:=]\s*['"][A-Za-z0-9_\-]{20,}['"]
apikey\s*[:=]\s*['"][A-Za-z0-9_\-]{20,}['"]
api[_-]?secret\s*[:=]\s*['"][A-Za-z0-9_\-]{20,}['"]

-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----

数据库连接字符串

postgres(ql)?://[^\s'"]+
mysql://[^\s'"]+
mongodb(\+srv)?://[^\s'"]+
redis://[^\s'"]+

OAuth 和 Bearer 令牌

bearer\s+[A-Za-z0-9\-_.~+/]+=*
oauth[_-]?token\s*[:=]\s*['"][A-Za-z0-9_\-]+['"]
access[_-]?token\s*[:=]\s*['"][A-Za-z0-9_\-]+['"]
refresh[_-]?token\s*[:=]\s*['"][A-Za-z0-9_\-]+['"]

云服务商密钥

# Google Cloud
AIza[0-9A-Za-z\-_]{35}

# Azure
[a-zA-Z0-9+/]{86}==

# Heroku
[hH]eroku.*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}

# Stripe
sk_live_[0-9a-zA-Z]{24}
rk_live_[0-9a-zA-Z]{24}
pk_live_[0-9a-zA-Z]{24}

# Twilio
SK[0-9a-fA-F]{32}

# SendGrid
SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}

# Slack
xox[baprs]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*

# GitHub
gh[pousr]_[A-Za-z0-9_]{36,}

# OpenAI
sk-[A-Za-z0-9]{48}

# Anthropic
sk-ant-[A-Za-z0-9\-_]{90,}

password\s*[:=]\s*['"][^'"]{8,}['"]
secret\s*[:=]\s*['"][^'"]{8,}['"]
credential\s*[:=]\s*['"][^'"]{8,}['"]
private[_-]?key\s*[:=]\s*['"][^'"]+['"]

eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*

1.3 检查敏感文件

永远不应提交的文件：

.env, .env.*（环境文件）
*.pem, *.key, *.p12, *.pfx（证书/密钥）
credentials.json, secrets.json, config.secret.*
id_rsa, id_dsa, id_ecdsa, id_ed25519（SSH 密钥）
*.keystore, *.jks（Java 密钥库）
.htpasswd, .netrc, .npmrc（认证文件）
wp-config.php（WordPress 配置）
包含凭据的 database.yml
包含 SECRET_KEY 的 settings.py

重要提示：切勿在配置文件中存储密钥！

密钥绝不应硬编码在以下配置文件中：

config.json, config.yaml, config.toml
settings.json, settings.py, settings.js
app.config.js, next.config.js, vite.config.ts
任何提交到版本控制的文件

应存储密钥的位置：

.env 文件（必须在 .gitignore 中）
Python 项目的 uv 密钥文件（uv 支持加载 .env）
平台密钥管理器（Vercel、Railway、Fly.io 环境变量）
云密钥管理器（AWS Secrets Manager、GCP Secret Manager、Azure Key Vault）

验证 .gitignore 包含：

grep -E "^\.env|^\.env\.|\.pem$|\.key$|credentials|secrets" .gitignore

1.4 密钥检测结果

如果发现密钥：

停止 - 不要继续推送
列出所有检测到的密钥及其文件:行位置
提供修复步骤：
- 从文件中移除密钥
- 将密钥移至 .env 文件（确保 .env 在 .gitignore 中）
- 对于 Python/uv 项目，使用 .env 配合 uv run，它会自动加载环境变量
- 使用 process.env.SECRET_NAME（Node.js）或 os.environ["SECRET_NAME"]（Python）
- 切勿在配置文件中存储密钥（config.json、settings.py 等）
- 将敏感文件添加到 .gitignore
- 如果已提交，指导进行历史重写

发现密钥时的示例输出：

SECURITY ALERT: Secrets detected in staged files!

File: src/config.js:15
  Type: API Key
  Pattern: api_key = "sk-abc123..."

File: .env:3
  Type: Database URL
  Pattern: DATABASE_URL=postgres://user:password@...

BLOCKED: Cannot push until secrets are removed.

Remediation:
1. Remove secrets from config files (NEVER store secrets in config files!)
2. Move secrets to .env file (ensure .env is in .gitignore)
3. For Python/uv: use .env file - uv run auto-loads environment variables
4. Access via: process.env.API_KEY (Node.js) or os.environ["API_KEY"] (Python)
5. Run: git reset HEAD <file> to unstage

如果未发现密钥：

Security scan complete: No secrets detected.
Proceeding with push...

阶段 2：README 生成

检查项目根目录是否存在 README.md：

ls README.md 2>/dev/null

如果不存在 README.md：

调用 /create_github_readme 技能以生成专业的 README
该 readme 技能将自动捕获屏幕截图、添加徽章、技术栈、架构图等
技能完成后，暂存生成的 README.md（以及 screenshot.png，如果已创建）

如果已存在 README.md：

跳过此阶段，除非用户明确要求重新生成 README

阶段 3：Git 操作

git status
git diff --cached --stat

如果需要暂存文件：

git add <specific-files>

重要提示： 切勿使用 git add -A 或 git add . - 始终添加特定文件，以避免意外提交敏感文件。

3.3 生成提交信息

根据变更内容：

分析修改了哪些文件
理解变更的性质（功能、修复、重构、文档等）
遵循约定式提交规范生成简洁的提交信息：
- feat: 新功能
- fix: 错误修复
- docs: 文档
- refactor: 代码重构
- test: 测试
- chore: 维护

git commit -m "$(cat <<'EOF'
<type>: <description>

<optional body>

Co-Authored-By: Claude <noreply@anthropic.com>
EOF
)"

git push origin <branch>

如果推送因上游变更而失败：

git pull --rebase origin <branch>
git push origin <branch>

阶段 4：拉取请求（可选）

如果用户请求创建 PR：

gh pr create --title "<title>" --body "$(cat <<'EOF'
## Summary
- Change 1
- Change 2

## Test Plan
- [ ] Test 1
- [ ] Test 2

---
Generated with [Claude Code](https://claude.ai/code)
EOF
)"

阶段 5：仓库信息（自动调用 `/github-about`）

推送后，自动运行 /github-about 技能以更新仓库的“关于”部分。

/github-about 技能将：

描述 - 分析代码库并设置引人注目的仓库描述（如果尚未设置）
实时站点 URL - 检测部署 URL（Vercel、GitHub Pages、Netlify 等）并设置主页
主题 - 分析技术栈（语言、框架、平台）并添加相关主题

只需调用 /github-about - 它会自动处理身份验证、检测和更新。

5.4 启用 Discussions

/github-about 完成后，如果尚未启用，也启用 discussions：

gh repo view --json hasDiscussionsEnabled

如果未启用 discussions：

gh repo edit --enable-discussions

扫描 20 多种类型的暴露密钥和凭据
检测不应提交的敏感文件
通过 /create_github_readme 技能自动生成专业的 README.md
创建 AI 驱动的提交信息
通过安全检查推送到 GitHub
创建带有描述的拉取请求
自动调用 /github-about 来设置仓库描述、实时站点 URL 和主题
自动启用 GitHub Discussions
支持所有 git 工作流程（功能分支、主分支）

检测到的安全模式

类别	示例
云凭据	AWS、GCP、Azure、Heroku
API 密钥	OpenAI、Anthropic、Stripe、Twilio、SendGrid
认证令牌	OAuth、Bearer、JWT、会话令牌
数据库 URL	PostgreSQL、MySQL、MongoDB、Redis
私钥	RSA、DSA、EC、SSH、PGP
平台令牌	GitHub、Slack、Discord webhooks
通用密钥	密码、凭据、代码中的密钥

运行 /github_push 后：

在 GitHub 上验证推送是否成功
检查 Actions 以获取 CI/CD 状态
查看生成的 README
在 GitHub 上验证仓库描述、主题和实时站点 URL
检查 Discussions 是否已启用且类别已设置
如果已创建，分享 PR 链接
监控来自 GitHub 的任何安全警报

🇺🇸English

GitHub Push

Command

/github-push or github-push

Navigate

Git & Security

Keywords

Description

Securely push code to GitHub by automatically scanning for exposed secrets, API keys, and credentials. Auto-generates README.md if missing, configures repo description, live site URL, topics, and enables GitHub Discussions.

Execution

This skill runs using Claude Code with subscription plan. Do NOT use pay-as-you-go API keys. All AI operations should be executed through the Claude Code CLI environment with an active subscription.

Response

I'll help you securely push to GitHub!

The workflow includes:

Step	Description
Secret Scan	Detect exposed API keys, passwords, and credentials
File Review	Check for sensitive files that shouldn't be committed
README Gen	Auto-generate README.md via `/create_github_readme` skill if missing
Git Commit	Stage and commit with AI-generated message
Push	Push to remote repository
PR Create	Optionally create a pull request
Repo About	Auto-invoke `/github-about` to set description, live site URL, and topics

Instructions

When executing /github_push, follow this workflow:

Phase 1: Secret Detection (MANDATORY)

Before ANY git operations, scan the codebase for exposed secrets. This is a blocking requirement - do not proceed if secrets are found.

1.1 Scan Staged Files

git diff --cached --name-only

1.2 Secret Pattern Detection

Scan ALL staged files for these patterns:

AWS Credentials

AKIA[0-9A-Z]{16}
aws_access_key_id\s*=\s*['"][A-Za-z0-9/+=]+['"]
aws_secret_access_key\s*=\s*['"][A-Za-z0-9/+=]+['"]

API Keys (Generic)

api[_-]?key\s*[:=]\s*['"][A-Za-z0-9_\-]{20,}['"]
apikey\s*[:=]\s*['"][A-Za-z0-9_\-]{20,}['"]
api[_-]?secret\s*[:=]\s*['"][A-Za-z0-9_\-]{20,}['"]

Private Keys

-----BEGIN (RSA|DSA|EC|OPENSSH|PGP) PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----

Database Connection Strings

postgres(ql)?://[^\s'"]+
mysql://[^\s'"]+
mongodb(\+srv)?://[^\s'"]+
redis://[^\s'"]+

OAuth & Bearer Tokens

bearer\s+[A-Za-z0-9\-_.~+/]+=*
oauth[_-]?token\s*[:=]\s*['"][A-Za-z0-9_\-]+['"]
access[_-]?token\s*[:=]\s*['"][A-Za-z0-9_\-]+['"]
refresh[_-]?token\s*[:=]\s*['"][A-Za-z0-9_\-]+['"]

Cloud Provider Secrets

# Google Cloud
AIza[0-9A-Za-z\-_]{35}

# Azure
[a-zA-Z0-9+/]{86}==

# Heroku
[hH]eroku.*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}

# Stripe
sk_live_[0-9a-zA-Z]{24}
rk_live_[0-9a-zA-Z]{24}
pk_live_[0-9a-zA-Z]{24}

# Twilio
SK[0-9a-fA-F]{32}

# SendGrid
SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}

# Slack
xox[baprs]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*

# GitHub
gh[pousr]_[A-Za-z0-9_]{36,}

# OpenAI
sk-[A-Za-z0-9]{48}

# Anthropic
sk-ant-[A-Za-z0-9\-_]{90,}

Generic Secrets

password\s*[:=]\s*['"][^'"]{8,}['"]
secret\s*[:=]\s*['"][^'"]{8,}['"]
credential\s*[:=]\s*['"][^'"]{8,}['"]
private[_-]?key\s*[:=]\s*['"][^'"]+['"]

JWT Tokens

eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*

1.3 Check for Sensitive Files

Files that should NEVER be committed:

.env, .env.* (environment files)
*.pem, *.key, *.p12, *.pfx (certificates/keys)
credentials.json, secrets.json, config.secret.*
id_rsa, id_dsa, , (SSH keys)

IMPORTANT: Never store secrets in config files!

Secrets should NEVER be hardcoded in configuration files like:

config.json, config.yaml, config.toml
settings.json, settings.py, settings.js
app.config.js, next.config.js, vite.config.ts
Any file that gets committed to version control

Where to store secrets instead:

.env files (must be in .gitignore)
uv secret files for Python projects (uv supports .env loading)
Platform secret managers (Vercel, Railway, Fly.io environment variables)
Cloud secret managers (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault)

Verify .gitignore includes:

grep -E "^\.env|^\.env\.|\.pem$|\.key$|credentials|secrets" .gitignore

1.4 Secret Detection Results

If secrets are found:

STOP - Do not proceed with push
List all detected secrets with file:line locations
Provide remediation steps:
- Remove the secret from the file
- Move secrets to .env file (ensure .env is in .gitignore)
- For Python/uv projects, use .env with uv run which auto-loads environment variables
- Use process.env.SECRET_NAME (Node.js) or os.environ["SECRET_NAME"] (Python)
- NEVER store secrets in config files (config.json, settings.py, etc.)
- Add sensitive files to .gitignore
- If already committed, guide through history rewrite

Example output when secrets found:

SECURITY ALERT: Secrets detected in staged files!

File: src/config.js:15
  Type: API Key
  Pattern: api_key = "sk-abc123..."

File: .env:3
  Type: Database URL
  Pattern: DATABASE_URL=postgres://user:password@...

BLOCKED: Cannot push until secrets are removed.

Remediation:
1. Remove secrets from config files (NEVER store secrets in config files!)
2. Move secrets to .env file (ensure .env is in .gitignore)
3. For Python/uv: use .env file - uv run auto-loads environment variables
4. Access via: process.env.API_KEY (Node.js) or os.environ["API_KEY"] (Python)
5. Run: git reset HEAD <file> to unstage

If NO secrets found:

Security scan complete: No secrets detected.
Proceeding with push...

Phase 2: README Generation

Check if a README.md exists in the project root:

ls README.md 2>/dev/null

If no README.md exists:

Invoke the /create_github_readme skill to generate a professional README
The readme skill will auto-capture screenshots, add badges, tech stack, architecture diagrams, and more
After the skill completes, stage the generated README.md (and screenshot.png if created)

If README.md already exists:

Skip this phase unless the user explicitly requests README regeneration

Phase 3: Git Operations

3.1 Check Status

git status
git diff --cached --stat

3.2 Stage Files

If files need staging:

git add <specific-files>

Important: Never use git add -A or git add . - always add specific files to avoid accidentally committing sensitive files.

3.3 Generate Commit Message

Based on the changes:

Analyze what files were modified
Understand the nature of changes (feature, fix, refactor, docs, etc.)
Generate a concise commit message following conventional commits:
- feat: new feature
- fix: bug fix
- docs: documentation
- refactor: code refactoring
- test: tests
- chore: maintenance

3.4 Commit

git commit -m "$(cat <<'EOF'
<type>: <description>

<optional body>

Co-Authored-By: Claude <noreply@anthropic.com>
EOF
)"

3.5 Push

git push origin <branch>

If push fails due to upstream changes:

git pull --rebase origin <branch>
git push origin <branch>

Phase 4: Pull Request (Optional)

If user requests PR creation:

gh pr create --title "<title>" --body "$(cat <<'EOF'
## Summary
- Change 1
- Change 2

## Test Plan
- [ ] Test 1
- [ ] Test 2

---
Generated with [Claude Code](https://claude.ai/code)
EOF
)"

Phase 5: Repository About (Auto-invoke `/github-about`)

After pushing, automatically run the /github-about skill to update the repo's About section.

The /github-about skill will:

Description — Analyze the codebase and set a compelling repo description (if not already set)
Live Site URL — Detect deployment URLs (Vercel, GitHub Pages, Netlify, etc.) and set the homepage
Topics — Analyze tech stack (languages, frameworks, platforms) and add relevant topics

Simply invoke /github-about — it handles authentication, detection, and updates automatically.

5.4 Enable Discussions

After /github-about completes, also enable discussions if not already enabled:

gh repo view --json hasDiscussionsEnabled

If discussions are NOT enabled:

gh repo edit --enable-discussions

Capabilities

Scan for 20+ types of exposed secrets and credentials
Detect sensitive files that shouldn't be committed
Auto-generate professional README.md via /create_github_readme skill
Create AI-powered commit messages
Push to GitHub with safety checks
Create pull requests with descriptions
Auto-invoke /github-about to set repo description, live site URL, and topics
Auto-enable GitHub Discussions
Support for all git workflows (feature branches, main)

Security Patterns Detected

Category	Examples
Cloud Credentials	AWS, GCP, Azure, Heroku
API Keys	OpenAI, Anthropic, Stripe, Twilio, SendGrid
Auth Tokens	OAuth, Bearer, JWT, Session tokens
Database URLs	PostgreSQL, MySQL, MongoDB, Redis
Private Keys	RSA, DSA, EC, SSH, PGP
Platform Tokens	GitHub, Slack, Discord webhooks
Generic Secrets	Passwords, credentials, secrets in code

Next Steps

After running /github_push:

Verify the push succeeded on GitHub
Check Actions for CI/CD status
Review the generated README
Verify repo description, topics, and live site URL on GitHub
Check that Discussions are enabled and categories are set up
Share PR link if created
Monitor for any security alerts from GitHub

Weekly Installs

Repository

alfredang/skills

GitHub Stars

First Seen

Jan 1, 1970

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

agent-browser 浏览器自动化工具 - Vercel Labs 命令行网页操作与测试

144,300 周安装

*.keystore, *.jks (Java keystores)

.htpasswd, .netrc, .npmrc (auth files)

wp-config.php (WordPress config)

database.yml with credentials

settings.py with SECRET_KEY

GitHub Push 安全推送工具：自动扫描密钥并生成 README

🇨🇳中文介绍

GitHub Push

命令

导航

关键词

描述

执行

响应

相关 Skills

使用说明

阶段 1：密钥检测（强制）

1.1 扫描暂存文件

1.2 密钥模式检测

1.3 检查敏感文件

1.4 密钥检测结果

阶段 2：README 生成

阶段 3：Git 操作

3.1 检查状态

3.2 暂存文件

3.3 生成提交信息

3.4 提交

3.5 推送

阶段 4：拉取请求（可选）

阶段 5：仓库信息（自动调用 /github-about）

5.4 启用 Discussions

功能

检测到的安全模式

后续步骤

🇺🇸English

GitHub Push

Command

Navigate

Keywords

Description

Execution

Response

Instructions

Phase 1: Secret Detection (MANDATORY)

1.1 Scan Staged Files

1.2 Secret Pattern Detection

1.3 Check for Sensitive Files

1.4 Secret Detection Results

Phase 2: README Generation

Phase 3: Git Operations

3.1 Check Status

3.2 Stage Files

3.3 Generate Commit Message

3.4 Commit

3.5 Push

Phase 4: Pull Request (Optional)

Phase 5: Repository About (Auto-invoke /github-about)

5.4 Enable Discussions

Capabilities

Security Patterns Detected

Next Steps

最新 Skills

阶段 5：仓库信息（自动调用 `/github-about`）

Phase 5: Repository About (Auto-invoke `/github-about`)