Rahul secures the pipeline

Secrets management, vulnerability scanning — security is not optional in production

⏱ 11 min 5 commands 5 takeaways

🔒

In this chapter

Rahul

DevOps engineer, e-commerce startup

The story

Rahul got the call on a Tuesday. A security researcher had found the company's AWS credentials on GitHub. Not in the current code — in a commit from 8 months ago. The file had been deleted but Git keeps history forever.

The attacker had already spun up 47 EC2 instances mining cryptocurrency. The AWS bill for that 6-hour window was 4,200 dollars.

Rahul spent the next month fixing every security gap. Here is what he learned.

Secrets do not belong in code. Ever. Not in .env files committed to Git. Not in docker-compose.yml. Not in any file that touches version control. Anywhere a human can read your code, a secret should never appear.

# Wrong - never do this
DB_PASSWORD=MyS3cr3t123

# Right - use environment variables injected at runtime
DB_PASSWORD=${DB_PASSWORD}

Scanning your codebase for secrets:

pip install detect-secrets
detect-secrets scan --baseline .secrets.baseline

# Scan your entire git history:
pip install trufflehog
trufflehog git file://. --only-verified

Run detect-secrets in your CI pipeline. If a secret is detected, the build fails before it reaches the repository.

Docker security basics:

# Never run containers as root
FROM python:3.11-slim
RUN useradd -m appuser
USER appuser

# Scan images for vulnerabilities:
trivy image myapp:latest --exit-code 1 --severity CRITICAL

# Never use :latest in production - use specific versions:
FROM python:3.11.9-slim

GitHub Actions security scanning:

- name: Scan for secrets
  uses: trufflesecurity/trufflehog@main

- name: Scan dependencies
  run: pip-audit

- name: Scan Docker image
  run: trivy image myapp:latest --exit-code 1 --severity CRITICAL

Kubernetes RBAC - least privilege. Every pod should only access what it needs:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: payment-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["payment-db-secret"]
  verbs: ["get"]

Network policies restrict pod-to-pod communication. By default every pod can talk to every other pod — that is a security disaster:

spec:
  podSelector:
    matchLabels:
      app: payment-service
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: api-gateway

Rahul added security scanning to every PR pipeline. The next time a developer accidentally committed a test credential, the build failed immediately and the credential never reached the repository.

Key takeaways

Secrets in Git — even deleted files — are recoverable forever through git history

detect-secrets and trufflehog scan your codebase and git history for exposed credentials

Always run containers as a non-root user — one RUN + USER line in your Dockerfile

trivy image scans your Docker image for known CVEs — run this in CI before every deploy

Kubernetes RBAC: give each service account only the specific permissions it actually needs

Commands from this chapter

$ detect-secrets scan --baseline .secrets.baseline

Scan codebase for accidentally committed secrets

$ trufflehog git file://. --only-verified

Scan entire git history for exposed credentials

$ trivy image myapp:latest --exit-code 1 --severity CRITICAL

Scan Docker image for critical CVEs

$ pip-audit

Check Python dependencies for known security vulnerabilities

$ kubectl auth can-i get secrets --as=system:serviceaccount:default:myapp

Test what permissions a service account has