Security Scanning for Bike4Mind
This document outlines our automated security scanning approach and how to interpret results.
Overview
We've implemented automated security scanning that runs weekly to identify potential security issues in our codebase, dependencies, and AWS infrastructure. The scanning includes:
- Static Application Security Testing (SAST) with Semgrep
- Dependency Scanning with npm/pnpm audit
- Dynamic Application Security Testing (DAST) with OWASP ZAP
- Infrastructure Scanning with Prowler (AWS) and Checkov (IaC)
- Secret Detection with Gitleaks
Running Scans
Scans run automatically every Sunday at midnight UTC. You can also trigger a manual scan:
- Go to GitHub Actions
- Select "Weekly Security Scan" workflow
- Click "Run workflow"
Local Setup for Developers
Secret Detection with Gitleaks
To prevent accidental secret commits, we use Gitleaks as a pre-commit hook. To set up:
# Run the installation script
bash install-hooks.sh
This script will:
- Install gitleaks if not already installed
- Configure git hooks to run before each commit
- Scan staged files for potential secrets
- Block commits that contain secrets
If you need to bypass the hook (for legitimate test data):
git commit --no-verify -m "your message"
To scan your entire codebase for secrets:
# Use the review secrets script
./review-secrets.sh
Interpreting Results
Security scan results are uploaded as artifacts in the GitHub Actions run. Here's how to interpret them:
Gitleaks Results
Gitleaks identifies secrets and credentials in your code. Common findings include:
- API keys and tokens
- Database connection strings
- Private keys and certificates
- Passwords and credentials
- AWS access keys
When Gitleaks blocks your commit:
- Review the flagged content in your staged files
- Remove or replace the sensitive information
- Consider using SST Secrets or environment variables instead
- Commit again after removing the secrets
Semgrep Results
Semgrep identifies code patterns that might lead to security vulnerabilities. Focus on:
- SQL injection vulnerabilities
- Cross-site scripting (XSS) issues
- Insecure direct object references
- Command injection possibilities
npm/pnpm Audit Results
These identify vulnerabilities in dependencies. Prioritize:
- Critical and high severity issues
- Vulnerabilities in production dependencies
- Issues with available fixes
OWASP ZAP Results
ZAP identifies runtime vulnerabilities in the application. Look for:
- Authentication and session management issues
- API vulnerabilities
- Cross-site scripting or CSRF issues
AWS Infrastructure (Prowler)
Prowler identifies AWS configuration issues. Key areas:
- S3 bucket permissions and encryption
- IAM role permissions (least privilege)
- Lambda function configurations
- CloudFront settings
- Secrets management
IaC (Checkov)
Checkov identifies issues in our infrastructure-as-code. Focus on:
- Resource configurations that deviate from best practices
- Permissions and access control issues
- Encryption settings
Remediation Process
- Triage: Review findings and determine severity
- Fix Critical Issues: Address high-impact findings immediately
- Track: Create tickets for medium/low issues
- Verify: Run scans again after fixes to confirm resolution
False Positives
If you identify false positives:
- For Gitleaks: Update your commit to remove the false detection or use
--no-verifyif necessary - For Semgrep: Add to
.semgrepignoreor create rule exceptions - For Prowler: Document in comments with justification
- For Checkov: Add
#checkov:skip=CKV_AWS_123:Reason for exceptionin code
Best Practices for Secret Management
Instead of hardcoding secrets:
- Use SST Secrets:
secrets.VARIABLE_NAME - Use environment variables:
process.env.VARIABLE_NAME - For client-side code, create API endpoints instead of using keys directly
- Remove test/example secrets before committing
Questions?
Contact the security team or engineering leads with questions about scan results or remediation steps.