Skip to main content

Skillber v1.0 is here!

Learn more

SCA & Secret Scanning

Checking access...

SCA — Software Composition Analysis

SCA scans open-source dependencies for known CVEs. This is the most actionable security testing category because remediation is straightforward: update the dependency.

Terminal window
# Snyk — scan and fix
snyk test --all-projects --severity-threshold=high
snyk fix --all-projects # Auto-upgrade vulnerable dependencies
# Dependabot configuration (.github/dependabot.yml)
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 20
labels:
- "security"
- "dependencies"
reviewers:
- "security-team"

Secret Scanning

Secrets in source code are a leading cause of credential compromise:

ToolTypeWhat It Detects
GitGuardianCloud + self-hostedAPI keys, tokens, passwords across 300+ patterns
TruffleHogOpen-sourceHigh-entropy strings + regex patterns
GitLeaksOpen-sourceRegex-based secret detection
GitHub Secret ScanningGitHub-nativeKnown partner patterns (AWS, Azure, GCP, GitHub tokens)
Terminal window
# TruffleHog scan
trufflehog filesystem --json . > secrets-report.json
# GitLeaks scan (CI mode)
gitleaks detect --source . --verbose --report-format json --report-path gitleaks-report.json

Secret Remediation Process

1. Detect: Secret found in source code
2. Contain: Rotate the compromised credential immediately
3. Audit: Check if the secret was accessed by unauthorised parties
4. Fix: Remove from git history (BFG Repo-Cleaner or git-filter-repo)
5. Prevent: Add pre-commit hook to block future commits with secrets
6. Educate: Train developer on using vault/secrets manager

Combined SCA + Secrets Pipeline

security:
stage: security
script: |
# SCA
snyk test --all-projects || true
# Secret scanning
trufflehog filesystem . --json | \
if grep -q "Severity: HIGH"; then exit 1; fi
# SBOM generation
syft packages . -o cyclonedx > sbom.cdx.json