Secret Scanning and Dependency Cheatsheet
Hands-on commands for the two highest-yield CI/CD checks: leaked secrets in source/history and vulnerable dependencies. Run against repos and pipelines you are authorised to assess.
Secret scanning (source + git history)
# gitleaks: scan working tree and full history
gitleaks detect --source . --report-format json --report-path gitleaks.json
gitleaks detect --source . --log-opts="--all" # all branches/history
# trufflehog: verified-secrets scanning of a repo or git history
trufflehog git https://github.com/org/repo --only-verified
trufflehog filesystem ./ --only-verified
# fast grep for obvious tokens / keys in CI config
grep -rIEn '(AKIA[0-9A-Z]{16}|ghp_[0-9A-Za-z]{36}|-----BEGIN [A-Z ]*PRIVATE KEY-----|xox[baprs]-)' .
Also inspect CI environment and config for plaintext secrets and over-broad permissions:
# GitHub Actions: look for pull_request_target, dangerous run blocks, and hardcoded secrets
grep -rIn "pull_request_target\|secrets\.\|\${{" .github/workflows/
# GitLab CI / Jenkins / CircleCI
cat .gitlab-ci.yml Jenkinsfile .circleci/config.yml 2>/dev/null
Dependency / supply-chain checks
# language-native auditors
npm audit --production
pip-audit -r requirements.txt
osv-scanner -r . # multi-ecosystem (Google OSV)
trivy fs --scanners vuln,secret,misconfig .
# software bill of materials (SBOM)
syft dir:. -o cyclonedx-json > sbom.json
grype sbom:sbom.json # vulns from the SBOM
Container images in the pipeline
trivy image org/app:latest
grype org/app:latest
What to flag
- Long-lived cloud keys, tokens, or private keys committed anywhere in history (rotation needed, not just deletion).
pull_request_targetrunning untrusted PR code with access to secrets.- Pipelines that run unpinned third-party actions/images (
@maininstead of a pinned SHA). - Critical/High CVEs in direct dependencies with a fixed version available.
- Secrets passed as build args or echoed into logs.
References
- gitleaks: https://github.com/gitleaks/gitleaks
- trufflehog: https://github.com/trufflesecurity/trufflehog
- OWASP Top 10 CI/CD Security Risks: https://owasp.org/www-project-top-10-ci-cd-security-risks/
- Trivy: https://trivy.dev/
- OSV-Scanner: https://google.github.io/osv-scanner/