How to Grade Your GitHub Repo's Security Before Someone Else Does
Most developers think security reviews are something you do before a big launch, or when you join a bigger company with a security team.
The reality: if your repo is public (or even if it's private and gets leaked), the security gaps are already there. You just haven't looked.
Here's a practical checklist you can run on any GitHub repo right now.
1. Secrets in Code
The most common (and most embarrassing) vulnerability.
# Install trufflehog
pip install trufflehog
# Scan your repo
trufflehog git file://./your-repo --only-verified
Or with gitleaks:
# Install
brew install gitleaks # Mac
# or
docker run -v $(pwd):/path zricethezav/gitleaks:latest detect --source /path
# Run
gitleaks detect --source .
What you're looking for:
- API keys committed in
.envfiles - AWS/GCP credentials in config files
- Database passwords in hardcoded strings
Fix: Add to .gitignore before it's a problem.
# .gitignore essentials
.env
.env.local
*.pem
*_rsa
config/secrets.yml
2. Dependency Vulnerabilities
# Node.js
npm audit
npm audit fix
# Python
pip install safety
safety check
# Ruby
bundle audit check --update
Real output from npm audit:
found 3 vulnerabilities (1 moderate, 2 high)
Run `npm audit fix` to fix 1 of 3 vulnerabilities.
2 vulnerabilities require manual review. See the full report for details.
Don't ignore the "manual review" ones — those are often the critical ones that can't be auto-fixed.
3. CI/CD Security
Check your GitHub Actions workflows:
cat .github/workflows/*.yml | grep -E "curl|wget|bash <"
Red flags:
- Downloading scripts from the internet and running them directly
-
GITHUB_TOKENwith write permissions you don't need - Secrets printed to logs with
echo $SECRET
# Bad
- run: curl https://some-site.com/install.sh | bash
# Good
- run: |
curl -fsSL https://some-site.com/install.sh -o install.sh
sha256sum install.sh # verify checksum
bash install.sh
4. Docker Image Security
# Install trivy
brew install trivy # Mac
# or
docker run aquasec/trivy image your-image:latest
# Scan your image
trivy image your-image:latest
Also check your Dockerfile:
# Bad: running as root
FROM node:18
COPY . .
CMD ["node", "server.js"]
# Good: create a non-root user
FROM node:18
RUN addgroup --system appgroup && adduser --system appuser --ingroup appgroup
USER appuser
COPY --chown=appuser:appgroup . .
CMD ["node", "server.js"]
5. Environment Variables
# Check if any secrets are exposed as env vars in your k8s pods
kubectl get pods -o yaml | grep -A 5 env | grep -v "^--"
# Or check docker inspect
docker inspect <container> | grep -A 20 Env
Security Score Breakdown
Here's how I think about grading repos:
| Area | Weight | Check |
|---|---|---|
| No secrets in code | 30% | trufflehog clean |
| Dependencies up to date | 25% | npm audit = 0 critical |
| CI/CD secure | 20% | No inline script exec |
| Docker non-root | 15% | USER set in Dockerfile |
| HTTPS enforced | 10% | Redirect HTTP → HTTPS |
ARIA scans GitHub repos and grades them A-F on exactly these criteria — if you want an automated version, it's at step2dev.com.
I built ARIA to solve exactly this.
Try it free at step2dev.com — no credit card needed.
Top comments (0)