Skip to main content

Source: ocean/docs/security-scanning-migration.md | ✏️ Edit on GitHub

Security Scanning Migration Guide

This document outlines the migration from third-party security scanning tools to GitHub native security features.

Migration Overview

We've migrated from multiple third-party tools to GitHub's native security features:

Before

  • Secret Scanning: Gitleaks, TruffleHog, detect-secrets
  • Code Scanning: None
  • Configuration: Multiple config files and custom workflows

After

  • Secret Scanning: GitHub Secret Scanning (automatic)
  • Code Scanning: GitHub CodeQL
  • Configuration: Single workflow file

Changes Made

  1. Removed Third-Party Tools:

    • Deleted .github/workflows/secret-scanning.yml
    • Deleted .gitleaks.toml
    • Deleted .secrets.baseline
    • Removed gitleaks from pre-commit hooks

  2. Added GitHub Native Tools:

    • Created .github/workflows/security-scanning.yml for CodeQL
    • GitHub Secret Scanning is automatically enabled

  3. Security Improvements:

    • Removed hardcoded PostHog API key from source
    • Moved posthog-edge.ts to server-only location
    • Fixed environment variable usage (no VITE_ prefix for server-side)

GitHub Security Features

Secret Scanning

  • Automatic: No workflow required
  • Coverage: Scans all commits, PRs, and issues
  • Alerts: Appear in Security tab
  • Partners: Direct notification to service providers

Code Scanning (CodeQL)

  • Languages: JavaScript/TypeScript
  • Schedule: On push, PR, and weekly
  • Queries: Security and quality checks
  • Results: Appear in Security tab and PR checks

Required Repository Settings

Enable these in Settings → Security & analysis:

  1. ✅ Dependency graph
  2. ✅ Dependabot alerts
  3. ✅ Dependabot security updates
  4. ✅ Secret scanning
  5. ✅ Code scanning

Environment Variables

Update your environment to include:

  • POSTHOG_API_KEY - Server-side PostHog API key (not VITE_ prefixed)

Benefits

  1. Simplified: One tool instead of three
  2. Integrated: Native GitHub UI and alerts
  3. Maintained: No dependency updates needed
  4. Free: Included in GitHub plan
  5. Accurate: Fewer false positives

Notes

  • The .secrets-config.json for rotation tracking is kept as it serves a different purpose
  • security-check.yml workflow continues to monitor secret rotation
  • All security alerts now appear in the GitHub Security tab