Phase 2 Secrets & Dependency Scanning
Overview
Two tools are used to detect secrets and vulnerable dependencies across all repositories.
Gitleaks Secret Scanning
Gitleaks scans the full git history of each repository for accidentally committed secrets such as API keys, tokens, passwords, and credentials.
Repositories Scanned
| Repository | Commits Scanned | Secrets Found |
|---|---|---|
| aliQuest-frontend | 16 | None |
| aliQuest-backend | 3 | None |
Running Manually
Trivy Dependency Vulnerability Scanning
Trivy scans package-lock.json for known CVEs (Common Vulnerabilities and Exposures) in npm dependencies, filtering for HIGH and CRITICAL severity only.
Scan Results
| Repository | Dependencies Scanned | HIGH CVEs | CRITICAL CVEs |
|---|---|---|---|
| aliQuest-frontend | All npm deps | 0 | 0 |
Running Manually
docker run --rm -v /path/to/repo:/path ghcr.io/aquasecurity/trivy:latest fs /path --scanners vuln --severity HIGH,CRITICAL
Secret Management Policy
- Never commit
.envfiles or any file containing credentials to any repository - Use
.env.examplefiles with placeholder values for documentation - All secrets are managed via GitHub Actions Secrets for CI/CD
- All runtime secrets in Kubernetes are managed via K8s Secrets (never in plain text in manifests)
- Developers must use
.gitignoreto exclude all local secret files