git-secrets Environment Risk Statusline
Claude Code statusline that surfaces sensitive environment-file risk and can optionally run git-secrets as a local pre-commit-style scanner.
Open the source and read safety notes before installing.
Safety notes
- The default mode does not scan file contents; it only counts sensitive-looking environment files in Git status.
- Enable recursive git-secrets scanning only in repositories where you are authorized to inspect all files.
- Treat any scan warning as a stop-and-review signal before committing, sharing logs, or opening a PR.
Privacy notes
- The default output prints counts only and does not print filenames or matched values.
- Recursive scans read repository files and may inspect sensitive local material.
- Terminal recordings can still reveal that a workspace contains sensitive environment files.
Prerequisites
- Git installed and the command run from a repository worktree.
- Optional git-secrets installed if GIT_SECRETS_STATUSLINE_SCAN is set to 1.
- A slower refresh interval when optional scanning is enabled, because recursive scans can be expensive.
Schema details
- Install type
- config
- Troubleshooting
- No
- Scope
- Source repo
- Script language
- bash
Script body
#!/usr/bin/env bash
set -u
main() {
if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
echo "secrets: no repository"
exit 0
fi
env_count=$(git status --porcelain=v1 -- .env '.env.*' .npmrc .pypirc .netrc 2>/dev/null | wc -l | tr -d ' ')
if [ "${GIT_SECRETS_STATUSLINE_SCAN:-0}" != "1" ]; then
printf 'secrets: env files %s | scan opt-in\n' "$env_count"
exit 0
fi
if command -v git-secrets >/dev/null 2>&1; then
if git-secrets --scan -r . >/dev/null 2>&1; then
printf 'secrets: env files %s | scan clean\n' "$env_count"
else
printf 'secrets: env files %s | review scan\n' "$env_count"
fi
elif git secrets --help >/dev/null 2>&1; then
if git secrets --scan -r . >/dev/null 2>&1; then
printf 'secrets: env files %s | scan clean\n' "$env_count"
else
printf 'secrets: env files %s | review scan\n' "$env_count"
fi
else
printf 'secrets: env files %s | git-secrets missing\n' "$env_count"
fi
}
case $- in
*n*) ;;
*) main "$@" ;;
esacFull copyable content
{
"statusLine": {
"type": "command",
"command": "$CLAUDE_PROJECT_DIR/.claude/statuslines/git-secrets-env-risk-statusline.sh"
}
}About this resource
Source notes
- AWS Labs git-secrets documents a Git-focused scanner for preventing secrets from being committed.
- This entry focuses on local environment-file risk and optional git-secrets scanning rather than Gitleaks, which already has a dedicated tools entry.
Duplicate check
Checked existing statuslines, live HeyClaude statuslines, open pull requests, and repository content for git-secrets-env-risk-statusline, git-secrets, Gitleaks, sensitive environment statuslines, and secret-risk entries. The earlier Gitleaks submission was closed for matching content/tools/gitleaks.mdx; this replacement uses AWS Labs git-secrets with a different canonical source and scope.
Disclosure
Editorial statusline recipe. No paid placement or affiliate link is used.
Source citations
Signals
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.