SCA & Secret Scanning
Checking access...
SCA — Software Composition Analysis
SCA scans open-source dependencies for known CVEs. This is the most actionable security testing category because remediation is straightforward: update the dependency.
# Snyk — scan and fixsnyk test --all-projects --severity-threshold=highsnyk fix --all-projects # Auto-upgrade vulnerable dependencies
# Dependabot configuration (.github/dependabot.yml)version: 2updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" open-pull-requests-limit: 20 labels: - "security" - "dependencies" reviewers: - "security-team"Secret Scanning
Secrets in source code are a leading cause of credential compromise:
| Tool | Type | What It Detects |
|---|---|---|
| GitGuardian | Cloud + self-hosted | API keys, tokens, passwords across 300+ patterns |
| TruffleHog | Open-source | High-entropy strings + regex patterns |
| GitLeaks | Open-source | Regex-based secret detection |
| GitHub Secret Scanning | GitHub-native | Known partner patterns (AWS, Azure, GCP, GitHub tokens) |
# TruffleHog scantrufflehog filesystem --json . > secrets-report.json
# GitLeaks scan (CI mode)gitleaks detect --source . --verbose --report-format json --report-path gitleaks-report.jsonSecret Remediation Process
1. Detect: Secret found in source code2. Contain: Rotate the compromised credential immediately3. Audit: Check if the secret was accessed by unauthorised parties4. Fix: Remove from git history (BFG Repo-Cleaner or git-filter-repo)5. Prevent: Add pre-commit hook to block future commits with secrets6. Educate: Train developer on using vault/secrets managerCombined SCA + Secrets Pipeline
security: stage: security script: | # SCA snyk test --all-projects || true
# Secret scanning trufflehog filesystem . --json | \ if grep -q "Severity: HIGH"; then exit 1; fi
# SBOM generation syft packages . -o cyclonedx > sbom.cdx.json