GitHub CI Pipeline Exposed: No Secrets Scanning, SAST, or Dependency Checks in Monorepo

A critical security gap in the CI/CD pipeline has left a multi-language monorepo exposed, allowing secrets, vulnerable code, and risky dependencies to potentially merge undetected. The absence of automated security controls was proven during an internal audit, which discovered a live Anthropic API key present on disk in an environment file—a flaw the existing pipeline completely failed to catch.

The audit of `.github/workflows/ci.yml` reveals a foundational oversight: the pipeline runs standard build, lint, and test jobs but contains zero automated security scanning. This leaves four major package ecosystems—Rust/Cargo, Go modules, Python/pip, and JavaScript/pnpm—without any protection. Tools like gitleaks or truffleHog for secrets scanning, static application security testing (SAST) for code patterns, and dependency vulnerability scanners are all marked as missing. The consequence is direct: any contributor, whether through error or intent, can introduce high-risk elements that flow straight into the codebase without an automated gate.

This gap shifts the entire security burden onto manual review processes, creating a single point of failure and significant operational risk. The discovery of a live API key on disk is not a hypothetical vulnerability but a demonstrated breach of the 'defense in depth' principle. The lack of these foundational DevSecOps controls exposes the organization to supply chain attacks, credential leakage, and the introduction of exploitable code, with detection relying entirely on human vigilance after the fact.