Secret Scan Until Clean
Scan the repo for leaked secrets, rotate exposed credentials, verify clean scan, and loop until no leaks remain.
by Trooper
Start the "Secret Scan Until Clean" loop. Goal: repo secret scan is clean with exposed credentials rotated Max iterations: 8 Between iterations run: gitleaks detect --source . --verbose || trufflehog filesystem . Exit when: secret scan reports zero findings Step 1: Scan for secrets, rotate exposed credentials, remove leaks, and verify clean scan. Self-pace this loop. After each iteration, run the check command, read the output, and only continue if the exit condition is not met. Stop when the exit condition passes or max iterations is reached. Give a short status update each pass.
Paste the kickoff prompt into Cursor, Claude Code, or Codex. Deeplinks do not install hook files.
1. Scan repo
Run gitleaks or trufflehog across the full repository.
2. Rotate and remove
Revoke exposed credentials, rotate keys, and purge from history if needed.
3. Verify clean
Re-run scan and confirm zero findings before closing the loop.
Guardrails
Rules the agent must follow so it cannot cheat the exit condition.
- Rotate every exposed secret — removing from git history alone is not enough
- Do not commit new secrets while fixing old ones
- Report rotation steps to the user — never log secret values
More Security loops
Dependency CVE Loop
Daily interval loop that audits dependency advisories, patches vulnerable packages, runs tests, and opens a security PR.
Dependency Drift Watch
Weekly interval loop that flags outdated dependencies, tests version bumps in isolation, and opens grouped upgrade PRs.