CRITICAL: Implement Secret Scanning with Trivy and Pre-commit Hooks

[joshuafuller]

Priority: CRITICAL - Implement Immediately

Secret scanning is the most critical security measure to prevent accidental exposure of credentials, API keys, and sensitive configuration data.

Overview

Implement comprehensive secret scanning at multiple stages of the development lifecycle to ensure no sensitive data is ever committed to the repository.

Current Risk

• Tesla API credentials could be accidentally committed
• TAK server configuration details might be exposed
• No automated detection of secrets in code or configuration files

Implementation Requirements

1. Trivy Secret Scanning in CI/CD

Add to .github/workflows/security-scan.yml:

name: Secret Security Scan

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 */6 * * *'  # Every 6 hours for continuous monitoring

jobs:
  secret-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0  # Full history for comprehensive scanning
    
    - name: Run Trivy secret scanner
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'sarif'
        output: 'trivy-secrets.sarif'
        severity: 'CRITICAL,HIGH,MEDIUM'  # Secrets are always critical
        exit-code: '1'  # Fail the build on any secret found
        scanners: 'secret'
        skip-dirs: 'node_modules,venv,.git'
    
    - name: Upload results to GitHub Security
      if: always()
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-secrets.sarif'
        category: 'secret-scanning'

2. Pre-commit Hooks for Local Protection

Create .pre-commit-config.yaml:

repos:
  # Detect secrets before commit
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']
        exclude: '^(\.secrets\.baseline|\.trivyignore)$'
  
  # Additional protection
  - repo: https://github.com/zricethezav/gitleaks
    rev: v8.18.0
    hooks:
      - id: gitleaks

3. Secret Patterns Configuration

Create .gitleaksignore:

[extend]
# Custom patterns for Tesla and TAK specific secrets
useDefault = true

[[rules]]
id = "tesla-refresh-token"
description = "Tesla Refresh Token"
regex = '''(?i)(tesla[_-]?refresh[_-]?token)['"]?\s*[:=]\s*['"]?([a-zA-Z0-9_-]{20,})'''
secretGroup = 2

[[rules]]
id = "tak-server-config"
description = "TAK Server Configuration"
regex = '''(?i)(tak[_-]?server|cot[_-]?url)['"]?\s*[:=]\s*['"]?(tcp://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:[0-9]+)'''
secretGroup = 2

[[rules]]
id = "vehicle-vin"
description = "Vehicle VIN"
regex = '''(?i)(vin|vehicle[_-]?id)['"]?\s*[:=]\s*['"]?([A-HJ-NPR-Z0-9]{17})'''
secretGroup = 2

4. Baseline Configuration

Initialize the baseline to handle existing patterns:

# Generate initial baseline
detect-secrets scan --baseline .secrets.baseline

# Audit the baseline
detect-secrets audit .secrets.baseline

5. GitHub Native Secret Scanning

• Enable GitHub secret scanning in repository settings
• Configure push protection to block commits with secrets
• Set up custom patterns for Tesla/TAK specific secrets

6. Documentation Requirements

Create docs/SECURITY.md:

# Security Policy

## Secret Management

### What is Considered a Secret?
- Tesla API tokens and refresh tokens
- TAK server URLs with authentication
- Vehicle VINs and identifiers
- Any API keys or passwords
- SSL/TLS certificates and keys

### If You Find a Secret
1. Do NOT commit it
2. If accidentally committed:
   - Immediately revoke the credential
   - Remove from history using BFG Repo-Cleaner
   - Open a security issue (privately)

### Using the Secret Scanner
Before committing:
\`\`\`bash
# Install pre-commit hooks
pip install pre-commit detect-secrets
pre-commit install

# Manually scan
detect-secrets scan
\`\`\`

7. Emergency Response Plan

If secrets are detected:

1. Immediate Actions:

   • Fail the CI/CD pipeline
   • Send alert to repository maintainers
   • Create automated issue (if in main branch)

2. Remediation Steps:

   • Revoke exposed credentials
   • Audit access logs
   • Update credentials
   • Document incident

8. Testing Requirements

• Test with known secret patterns
• Verify CI/CD fails appropriately
• Confirm pre-commit hooks block commits
• Validate custom patterns work

9. Success Criteria

• Zero secrets in repository history
• All commits scanned before merge
• Pre-commit hooks active for all developers
• Clear documentation and training
• Automated alerts configured
• Monthly security report showing zero secrets

10. Monitoring and Maintenance

• Weekly review of secret scanning alerts
• Monthly update of secret patterns
• Quarterly review of baseline
• Annual security training update

References

• Trivy Secret Scanning
• detect-secrets Documentation
• GitHub Secret Scanning
• OWASP Secret Management Cheat Sheet