Add CVE & Secret Scanning to Regression Workflow

[jnelsoncelsys]

As a(n)

Repository Administrator

I want

automated vulnerability and secret scanning via GitHub-native tools integrated into our regression workflow

So that

we can detect and remediate high-risk security issues early in the CI/CD pipeline, while offloading remediation issue generation to QA

---

Executive Summary

We need to implement lightweight and maintainable security scanning using GitHub's built-in capabilities. This includes CVE scanning for Python code and Docker images, as well as secret detection. These scans will run as part of the regression or PR workflows. QA will own triage and remediation tracking. The approach must remain simple, free, and integrated into GitHub Actions.

---

Acceptance Criteria

• Code scanning is active on Python backend repositories using GitHub-native tools
• Docker image scanning is active for images built and pushed to GHCR
• GitHub Secret Scanning is enabled for all repositories
• PR workflow is updated to:
  • Run CVE and secret scans
  • Fail PRs on high/critical severity
  • Warn only on low/medium severity
• Scheduled scan workflow (e.g. nightly) is configured
• QA receives scan results and creates remediation issues as needed

---

In-Scope

• Python backend repositories
• Docker images built in CI
• GitHub Container Registry
• Regression / PR GitHub Actions workflows

Out-of-Scope

• Third-party commercial security tools (Snyk, Checkmarx, etc.)
• Non-GitHub-native dependency management tooling

---

Suggested Tools Comparison

Tool	Focus	Strengths	Weaknesses	Pricing
CodeQL	CVE scanning (GitHub native)	Deep analysis, integrates with GitHub UI	Custom queries require learning	Free (GitHub)
Semgrep	Multi-language SAST	Customizable, strong community rulesets	Needs tuning	Free (OSS)
Bandit	Python AST scanning	Easy GitHub integration, lightweight	Basic detection only	Free (OSS)
Safety	Python dependency scanning	Scans for known CVEs from PyUp DB	Limited to packages	Free (basic)
detect-secrets	Secrets in code	Pre-commit hook, strong local enforcement	Misses runtime secrets	Free (OSS)
GitHub Secret Scanning	Secrets pushed to GitHub	Auto-detects common credentials	No coverage for custom secrets	Free

---

Implementation Steps

1. Analyze available GitHub tools, Bandit, Semgrep, etc.
2. Enable GitHub secret scanning for all repos
3. Add detect-secrets as an optional pre-commit hook
4. Update regression workflow to:
   • Fail on high/critical severity findings
   • Warn on low/medium
   • Run on PRs and scheduled workflows
5. Deliver findings to QA team and document remediation process --> automate this via issue generation

[parull249]

@JamesonRGrieve, here is how we can move further:

-CodeQL will handle CVE scanning for Python code using GitHub’s built-in capabilities.
-Trivy will scan Docker images built and pushed to GHCR for vulnerabilities.
-GitHub Secret Scanning is already enabled across all repositories to catch exposed credentials.

The PR workflow will be updated to:
-Fail when high or critical issues are found
-Warn (but not fail) on low or medium severity issues

We will also set up a nightly scheduled scan using GitHub Actions.
QA will own the scan results, create remediation issues, and track fixes.

We are also considering optional tools, such as Semgrep, Bandit, and detect-secrets, to strengthen scanning for specific use cases or local developer enforcement.

All tools chosen are free, lightweight, and GitHub-native.

Please let me if this is suitable.