Tools

Tools: How to Grade Your GitHub Repo's Security Before Someone Else Does

2026-03-22 0 views admin
Tools: How to Grade Your GitHub Repo's Security Before Someone Else Does

How to Grade Your GitHub Repo's Security Before Someone Else Does

1. Secrets in Code

2. Dependency Vulnerabilities

3. CI/CD Security

4. Docker Image Security

5. Environment Variables

Security Score Breakdown Most developers think security reviews are something you do before a big launch, or when you join a bigger company with a security team. The reality: if your repo is public (or even if it's private and gets leaked), the security gaps are already there. You just haven't looked. Here's a practical checklist you can run on any GitHub repo right now. The most common (and most embarrassing) vulnerability. What you're looking for: Fix: Add to .gitignore before it's a problem. Real output from npm audit: Don't ignore the "manual review" ones — those are often the critical ones that can't be auto-fixed. Check your GitHub Actions workflows: Also check your Dockerfile: Here's how I think about grading repos: ARIA scans GitHub repos and grades them A-F on exactly these criteria — if you want an automated version, it's at step2dev.com. I built ARIA to solve exactly this.

Try it free at step2dev.com — no credit card needed. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

# Install trufflehog -weight: 500;">pip -weight: 500;">install trufflehog # Scan your repo trufflehog -weight: 500;">git file://./your-repo --only-verified # Install trufflehog -weight: 500;">pip -weight: 500;">install trufflehog # Scan your repo trufflehog -weight: 500;">git file://./your-repo --only-verified # Install trufflehog -weight: 500;">pip -weight: 500;">install trufflehog # Scan your repo trufflehog -weight: 500;">git file://./your-repo --only-verified # Install -weight: 500;">brew -weight: 500;">install gitleaks # Mac # or -weight: 500;">docker run -v $(pwd):/path zricethezav/gitleaks:latest detect --source /path # Run gitleaks detect --source . # Install -weight: 500;">brew -weight: 500;">install gitleaks # Mac # or -weight: 500;">docker run -v $(pwd):/path zricethezav/gitleaks:latest detect --source /path # Run gitleaks detect --source . # Install -weight: 500;">brew -weight: 500;">install gitleaks # Mac # or -weight: 500;">docker run -v $(pwd):/path zricethezav/gitleaks:latest detect --source /path # Run gitleaks detect --source . # .gitignore essentials .env .env.local *.pem *_rsa config/secrets.yml # .gitignore essentials .env .env.local *.pem *_rsa config/secrets.yml # .gitignore essentials .env .env.local *.pem *_rsa config/secrets.yml # Node.js -weight: 500;">npm audit -weight: 500;">npm audit fix # Python -weight: 500;">pip -weight: 500;">install safety safety check # Ruby bundle audit check ---weight: 500;">update # Node.js -weight: 500;">npm audit -weight: 500;">npm audit fix # Python -weight: 500;">pip -weight: 500;">install safety safety check # Ruby bundle audit check ---weight: 500;">update # Node.js -weight: 500;">npm audit -weight: 500;">npm audit fix # Python -weight: 500;">pip -weight: 500;">install safety safety check # Ruby bundle audit check ---weight: 500;">update found 3 vulnerabilities (1 moderate, 2 high) Run `-weight: 500;">npm audit fix` to fix 1 of 3 vulnerabilities. 2 vulnerabilities require manual review. See the full report for details. found 3 vulnerabilities (1 moderate, 2 high) Run `-weight: 500;">npm audit fix` to fix 1 of 3 vulnerabilities. 2 vulnerabilities require manual review. See the full report for details. found 3 vulnerabilities (1 moderate, 2 high) Run `-weight: 500;">npm audit fix` to fix 1 of 3 vulnerabilities. 2 vulnerabilities require manual review. See the full report for details. cat .github/workflows/*.yml | grep -E "-weight: 500;">curl|-weight: 500;">wget|bash <" cat .github/workflows/*.yml | grep -E "-weight: 500;">curl|-weight: 500;">wget|bash <" cat .github/workflows/*.yml | grep -E "-weight: 500;">curl|-weight: 500;">wget|bash <" # Bad - run: -weight: 500;">curl https://some-site.com/-weight: 500;">install.sh | bash # Good - run: | -weight: 500;">curl -fsSL https://some-site.com/-weight: 500;">install.sh -o -weight: 500;">install.sh sha256sum -weight: 500;">install.sh # verify checksum bash -weight: 500;">install.sh # Bad - run: -weight: 500;">curl https://some-site.com/-weight: 500;">install.sh | bash # Good - run: | -weight: 500;">curl -fsSL https://some-site.com/-weight: 500;">install.sh -o -weight: 500;">install.sh sha256sum -weight: 500;">install.sh # verify checksum bash -weight: 500;">install.sh # Bad - run: -weight: 500;">curl https://some-site.com/-weight: 500;">install.sh | bash # Good - run: | -weight: 500;">curl -fsSL https://some-site.com/-weight: 500;">install.sh -o -weight: 500;">install.sh sha256sum -weight: 500;">install.sh # verify checksum bash -weight: 500;">install.sh # Install trivy -weight: 500;">brew -weight: 500;">install trivy # Mac # or -weight: 500;">docker run aquasec/trivy image your-image:latest # Scan your image trivy image your-image:latest # Install trivy -weight: 500;">brew -weight: 500;">install trivy # Mac # or -weight: 500;">docker run aquasec/trivy image your-image:latest # Scan your image trivy image your-image:latest # Install trivy -weight: 500;">brew -weight: 500;">install trivy # Mac # or -weight: 500;">docker run aquasec/trivy image your-image:latest # Scan your image trivy image your-image:latest # Bad: running as root FROM node:18 COPY . . CMD ["node", "server.js"] # Good: create a non-root user FROM node:18 RUN addgroup --system appgroup && adduser --system appuser --ingroup appgroup USER appuser COPY --chown=appuser:appgroup . . CMD ["node", "server.js"] # Bad: running as root FROM node:18 COPY . . CMD ["node", "server.js"] # Good: create a non-root user FROM node:18 RUN addgroup --system appgroup && adduser --system appuser --ingroup appgroup USER appuser COPY --chown=appuser:appgroup . . CMD ["node", "server.js"] # Bad: running as root FROM node:18 COPY . . CMD ["node", "server.js"] # Good: create a non-root user FROM node:18 RUN addgroup --system appgroup && adduser --system appuser --ingroup appgroup USER appuser COPY --chown=appuser:appgroup . . CMD ["node", "server.js"] # Check if any secrets are exposed as env vars in your k8s pods -weight: 500;">kubectl get pods -o yaml | grep -A 5 env | grep -v "^--" # Or check -weight: 500;">docker inspect -weight: 500;">docker inspect <container> | grep -A 20 Env # Check if any secrets are exposed as env vars in your k8s pods -weight: 500;">kubectl get pods -o yaml | grep -A 5 env | grep -v "^--" # Or check -weight: 500;">docker inspect -weight: 500;">docker inspect <container> | grep -A 20 Env # Check if any secrets are exposed as env vars in your k8s pods -weight: 500;">kubectl get pods -o yaml | grep -A 5 env | grep -v "^--" # Or check -weight: 500;">docker inspect -weight: 500;">docker inspect <container> | grep -A 20 Env - API keys committed in .env files - AWS/GCP credentials in config files - Database passwords in hardcoded strings - Downloading scripts from the internet and running them directly - GITHUB_TOKEN with write permissions you don't need - Secrets printed to logs with echo $SECRET

🏷️ Tags

toolsutilitiessecurity toolsgradegithubsecuritybeforesomeone

More from Tools

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

2026-03-30 0
Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

2026-03-30 0
Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

2026-03-30 0
Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

2026-03-30 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views