This repo has been merged into ruyi-skills and is no longer maintained here. For the latest version, install from ruyi-skills:
skills/ruyi-github-safe-publish/
Safely publish local Git projects to GitHub public repositories with two-layer desensitization scanning (135 deterministic rules + AI semantic analysis), auto-fix, backup, and end-to-end publishing workflow.
A Claude Code skill / plugin.
Pushing a local project to a public GitHub repo risks leaking secrets, PII, internal infrastructure details, and other sensitive data. Existing tools like Gitleaks and TruffleHog detect secrets but don't fix them or handle the full publishing workflow.
GitHub Safe Publish combines deterministic rule scanning (135 regex rules across 6 dimensions) with AI semantic analysis to find what regexes miss, then walks you through fixing, creating the repo, and pushing — all in one command.
- Two-layer scanning: 135 deterministic rules (Layer 1) + AI semantic analysis with independent sub-agents (Layer 2)
- 6 scanning dimensions: Keys/Credentials (100), Database Connection Strings (5), PII (8), Internal Infrastructure (6), File Blacklist (12), Git History (4)
- Auto-fix with user confirmation: Replace secrets with placeholders, or choose manual fix / delete / accept risk
- Backup branch:
pre-publish-backupcreated before any modifications for easy rollback - End-to-end publishing: Interactive repo creation via
ghCLI with visibility, name, and description confirmation - Optional
--seo: GitHub description optimization, topic tags, shields.io badges, README structure check - Optional
--ci: Auto-detect project type and generate.github/workflows/test.yml
/github-safe-publish # Full flow: scan → fix → publish
/github-safe-publish --scan # Scan only — report what's wrong, no fixes
/github-safe-publish --dry-run # Scan + show suggested fixes, no actual changes
/github-safe-publish --seo # Full flow + SEO optimization
/github-safe-publish --ci # Full flow + CI workflow generation
/github-safe-publish --seo --ci # Everything
| Step | Full | --scan | --dry-run |
|---|---|---|---|
| 1. Pre-flight checks | yes | yes | yes |
| 2. Backup branch | yes | skip | skip |
| 3. Two-layer scan | yes | yes | yes |
| 4. Auto-fix + confirm | yes | skip | suggestions only |
| 5. Repo create + push | yes | skip | skip |
| 6. Verify + report | yes | scan report | scan report + suggestions |
Step 1: Pre-flight + interactive confirmation
Step 2: Create backup branch (pre-publish-backup)
Step 3: Two-layer desensitization scan
Layer 1: 135 deterministic regex rules (6 dimensions)
Layer 2: AI semantic scan (1-2 rounds, independent sub-agents)
Step 4: Auto-fix + user confirmation (CRITICAL / WARNING / SAFE)
Step 5: Repo decision + push (interactive, via gh CLI)
Step 6: Verification + report
| Dimension | Rules | What it detects |
|---|---|---|
| A. Keys/Credentials | 100 | AWS, Azure, GCP, GitHub, GitLab, OpenAI, Stripe, Slack, and 90+ more providers |
| A2. Database Strings | 5 | PostgreSQL, MySQL, MongoDB, Redis, JDBC connection strings |
| B. PII | 8 | Email, phone, national ID, names |
| C. Infrastructure | 6 | Internal IPs, local paths, internal domains, NAS/VPN URLs |
| D. File Blacklist | 12 | .env, .pem, .key, .db, credentials.*, etc. |
| E. Git History | 4 | Sensitive data in commit messages, deleted files |
See docs/scanning-rules.md for the complete regex reference.
You might wonder: Gitleaks has ~120 rules, TruffleHog has 873+ detectors — why only 135?
Apples vs oranges. TruffleHog's 873 detectors are single-dimensional (API keys only), mostly covering niche SaaS services. Our 135 rules span 6 dimensions — keys/credentials (100), database connection strings (5), PII (8), internal infrastructure (6), file blacklist (12), and git history (4). We overlap with TruffleHog on ~50 popular providers (AWS, Azure, GCP, GitHub, Stripe, etc.) and cover 15 providers they don't (npm, DigitalOcean, Cloudflare, Telegram, Discord, etc.).
The real differentiator isn't rule count — it's what happens after detection: AI semantic analysis catches what regexes miss, auto-fix replaces secrets with placeholders, and the end-to-end workflow handles repo creation and push. No other tool does this pipeline.
Select Browse and install plugins → Select github-safe-publish → Select Install now
# 1. Add marketplace
/plugin marketplace add zwyin/github-safe-publish
# 2. Install plugin
/plugin install github-safe-publish@github-safe-publishPlease install github-safe-publish from github.com/zwyin/github-safe-publish
npx skills add zwyin/github-safe-publishNot yet published to ClawHub registry. Track progress at github.com/zwyin/github-safe-publish.
clawhub install github-safe-publishgit clone https://github.com/zwyin/github-safe-publish.git
claude --plugin-dir ./github-safe-publishOr copy skills/github-safe-publish/SKILL.md to your project's skill directory.
| Platform | Install |
|---|---|
| Cursor | Copy dist/cursor/*.mdc files to .cursor/rules/ |
| Windsurf | Copy dist/windsurf/.windsurfrules to .windsurf/rules/ |
| OpenCode | Copy dist/opencode/AGENTS.md to .opencode/skills/ |
pip install -r requirements-dev.txt
pytest tests/ -qOr use the validation script:
bash scripts/validate_skill.shgithub-safe-publish/
├── .claude-plugin/ # Plugin metadata
├── skills/ # Skill definitions
│ └── github-safe-publish/
│ └── SKILL.md # Single source of truth
├── docs/
│ ├── scanning-rules.md # Complete regex reference (135 rules)
│ └── superpowers/specs/ # Design documents
├── scripts/
│ ├── release.sh # Version bump + tag
│ └── validate_skill.sh # One-click validation
├── tests/ # 235 tests
├── CHANGELOG.md
├── CLAUDE.md
└── LICENSE