vibe-pre-commit-audit
npx machina-cli add skill ash1794/vibe-engineering/pre-commit-audit --openclawFiles (1)
SKILL.md
2.0 KB
vibe-pre-commit-audit
Catch the easy mistakes before they enter history.
When to Use This Skill
- Before creating a git commit
- When reviewing your own staged changes
- Before pushing to a shared branch
When NOT to Use This Skill
- Commits to personal scratch branches
- When the user explicitly says to skip checks
- Auto-generated code commits (lock files, etc.)
Checks
1. Secrets & Credentials
Scan for patterns:
API_KEY=,SECRET=,PASSWORD=,TOKEN=- AWS keys:
AKIA[0-9A-Z]{16} - Private keys:
-----BEGIN.*PRIVATE KEY----- - Connection strings with credentials
.envfiles being staged
2. Debug Statements
console.log(,fmt.Println(,print(,debugger;// DEBUG,# DEBUG,/* DEBUGlog.Debugin non-debug code paths
3. TODOs Without References
TODOwithout issue number:TODO: fix this(bad)TODO(#123): fix this(good)FIXME,HACK,XXX— flag all
4. Disabled Tests
t.Skip(,xit(,xdescribe(,@pytest.mark.skip- Commented-out test functions
//nolintwithout justification
5. Large Files
- Files > 1MB
- Binary files (images, compiled assets)
- Lock files with excessive changes
6. Commented-Out Code
- Blocks of 3+ consecutive commented-out lines of code
- Not comments explaining code, but actual code that's commented out
Output Format
Pre-Commit Audit
Status: CLEAN / WARNINGS / BLOCKED
| Check | Status | Findings |
|---|---|---|
| Secrets | ✓/✗ | X patterns found |
| Debug statements | ✓/✗ | X occurrences |
| TODOs | ✓/◐ | X without references |
| Disabled tests | ✓/✗ | X found |
| Large files | ✓/✗ | X over limit |
| Commented code | ✓/◐ | X blocks |
Blocking Issues (must fix)
- [Secret found in file.go:42]
Warnings (should fix)
- [TODO without reference in handler.ts:15]
Source
git clone https://github.com/ash1794/vibe-engineering/blob/master/skills/pre-commit-audit/SKILL.mdView on GitHub Overview
vibe-pre-commit-audit scans staged changes for sensitive data, debug statements, and common commit mistakes. It helps prevent credential leaks, noisy history, and failing checks by enforcing pre-commit hygiene.
How This Skill Works
The tool hooks into your pre-commit workflow and analyzes the diff of staged files using regex-based checks for secrets, credentials, TODOs with and without references, disabled tests, large or binary files, and commented-out code. It outputs a structured report and can block the commit until blocking issues are resolved.
When to Use It
- Before creating a git commit
- When reviewing your own staged changes
- Before pushing to a shared branch
- When you add secrets, debug statements, or TODOs without references
- When cleaning up a feature branch to avoid large or unnecessary files
Quick Start
- Step 1: Enable vibe-pre-commit-audit in your repo's pre-commit workflow or hook
- Step 2: Stage changes (git add ...) and trigger the audit (via pre-commit or command)
- Step 3: Fix flagged items, re-stage, and re-run until the audit reports CLEAN
Best Practices
- Run the audit on every commit on feature branches
- Fix all Secrets and Credentials findings before committing
- Use TODOs with references (e.g., TODO(#123)) to track tasks
- Exclude non-source or generated files from the scan when appropriate
- Rotate exposed credentials immediately if any secret is found
Example Use Cases
- A staged file contains API_KEY=..., so rotate the key and remove the credential from the commit
- A TODO without an issue reference is flagged; add TODO(#123) and link to the task
- Console.log or debug statements appear in production code; remove or guard behind a debug flag
- Tests show deprecated patterns like t.Skip or xdescribe; update or remove as needed
- A large binary file or lock file is staged; remove from the commit or move to proper asset handling
Frequently Asked Questions
Add this skill to your agents
