Alvey Automation
Download · Security Stack v1.0

Stop committing credentials. Forever.

A pre-commit security stack that blocks AWS keys, Stripe secrets, OAuth tokens, and ~100 other credential patterns before they enter your git history. One install command. Works on Python and Node.js.

$49 one-time · MIT license · 30-day refund
Buy on Gumroad

The 4-hour problem this solves in 90 seconds

Setting up production-grade pre-commit security from scratch takes most developers a full afternoon:

  • Pick between gitleaks, trufflehog, detect-secrets, semgrep — they all catch different things.
  • Wire pre-commit framework, version-pin every hook.
  • Tune the gitleaks allowlist so docker-compose dev passwords and lockfile hashes stop spamming you.
  • Add the Intuit/QBO patterns that gitleaks' default ruleset misses.
  • Build CI workflows for daily dependency CVE scans.
  • Test it all on a sandbox repo with planted credentials.

This pack is the assembled, tuned, tested result. bash setup.sh inside any repo, 90 seconds later you're protected.

What's in the bundle

  • .pre-commit-config.yaml — version-pinned, ordered, with sensible defaults.
  • .gitleaks.toml — tuned ruleset with seven custom detectors for Intuit/QBO, Anthropic, OpenAI, Discord webhooks, Slack webhooks, Railway tokens, generic bearer tokens.
  • .trufflehog.yaml — path filters and --only-verified mode for low-noise live-credential detection.
  • setup.sh + setup.ps1 — cross-platform installer (Linux/macOS/WSL + Windows).
  • GitHub Actions templates — daily pip-audit and npm audit cron workflows.
  • Hash-pinning template — the pip-compile --generate-hashes workflow most devs skip.
  • EXAMPLES.md — five worked examples of catches, each with the exact scan output and recommended fix.
  • FALSE_POSITIVES.md — pre-built allowlist for the noise that bites every team.
  • MIT license — use it in commercial projects, fork it, modify it.

Built for two real failure modes

The accidental commit (95% of leaks)

You're racing to ship before a demo. You inline an API key "just to test it locally," forget about it, and git commit -am "fix". The credential is now in your git history forever.

This pack rejects that commit before it lands on disk. You see a clear error, fix the code, move on. No rotation, no panic, no Slack thread.

The dependency CVE that drops next week

Your requirements.txt was clean when you committed it. Three days later, a critical CVE drops on a transitive dep. Without a daily scheduled scan, you find out from a news headline.

The included GitHub Actions workflows run pip-audit / npm audit every morning at 6 AM. New CVE in your locked deps → failed build → Slack alert. Caught in 24 hours, not 24 days.

This pack is the opinionated assembly — every individual tool is open-source and free. What you're paying for is the 4 hours of assembly + tuning + verification, replaced with a 90-second install.

FAQ

I can find all of these tools for free, why pay $49?
You can. The cost is the 4-8 hours figuring out the right combination, allowlist patterns, custom detectors, and CI integration. If your time is worth less than $7-12/hour, definitely build it yourself. Otherwise this pays back the first time it blocks a credential commit.
Will it slow down my commits?
First commit after install: ~30-60s while tool binaries download. Subsequent commits: 1-3s for typical change sets. The trufflehog hook runs in --only-verified mode so it only does network calls when it finds a credential pattern that needs confirmation.
What if I get a false positive on a legitimate file?
Add a path or pattern to .gitleaks.toml [allowlist]. The included FALSE_POSITIVES.md walks through the most common cases (docker-compose dev passwords, test SSH keys, JWT seeds, base64 fixtures). Adding an allowlist entry takes ~30 seconds.
Does it work for Ruby or Go?
This release covers Python + Node.js (90% of indie dev market). Ruby (bundler-audit) and Go (govulncheck) workflows are planned for v2. Email if you need them sooner — happy to scope a v1.1 add-on.
What about secrets already in my history?
Pre-commit only catches future commits. For existing leaks, the EXAMPLES.md walks through the rotation playbook (rotate first, scrub history second — and history scrubbing is purely cosmetic once credentials are rotated).
Refund policy?
30-day no-questions-asked refund. Email and you'll have a refund within 24 hours.

Don't be the next 'I committed a key' Slack thread.

90-second install. Lifetime updates. MIT-licensed. 30-day refund.

Buy on Gumroad Email a question