Skip to content
Lionshead·

🔒Lionshead PRs Now Include Automated Self-Breach Security Stack

Your code is getting scanned for breaches before it even hits the repo

TL;DR

Lionshead's pull requests now automatically run a comprehensive security stack, including Trivy and Gitleaks scans. This ensures no critical vulnerabilities or secrets make it into production.

Lionshead has implemented an automated self-breach security stack for all PRs, ensuring that code is scanned for vulnerabilities, secrets, and infrastructure issues before merging. If you're working on a project with strict security requirements, this could be a game-changer. The stack includes tools like Trivy for filesystem scanning, Gitleaks for secret detection across git history, and Checkov for IaC security checks. It also features scheduled daily audits against the default branch, including npm audit and Trivy scans.

Key Points

1

Trivy filesystem scanning catches CRITICAL or HIGH severity findings, configured via trivy.yaml at the repo root

2

Gitleaks secret scanning detects API keys, tokens, private keys, and connection strings across entire git history

3

Checkov runs alongside Trivy IaC for defense in depth, catching insecure infrastructure defaults

4

OWASP ZAP baseline active DAST scans catch missing security headers and common injection vectors

5

Infracost + OPA cost gate pauses PRs on GitHub Environment approval gate when the delta exceeds $50/month

Why It Matters

If you're working with sensitive data or strict compliance requirements, this is a must-have. The automated stack catches secrets and vulnerabilities before they hit production, reducing risk significantly. For instance, Trivy scans ensure no CRITICAL or HIGH severity findings slip through, while Gitleaks prevents accidental exposure of API keys across git history.

trivygitleakscheckovowasp zapinfracost

Frequently Asked Questions

Why does this matter?

If you're working with sensitive data or strict compliance requirements, this is a must-have. The automated stack catches secrets and vulnerabilities before they hit production, reducing risk significantly. For instance, Trivy scans ensure no CRITICAL or HIGH severity findings slip through, while Gitleaks prevents accidental exposure of API keys across git history.

What happened?

Lionshead's pull requests now automatically run a comprehensive security stack, including Trivy and Gitleaks scans. This ensures no critical vulnerabilities or secrets make it into production.

Comments

Subscribe to join the conversation...

Be the first to comment

Enjoyed this article?

Get it daily. 7am. Free. Reads in 5 minutes.

Join 2,074 builders reading daily.