New GitHub Actions Pipeline Flags Hardcoded Secret Encryption Key in Homarr Docker Compose File

A newly implemented CI/CD workflow suite has uncovered a critical security exposure in the Homarr project: a hardcoded `SECRET_ENCRYPTION_KEY` embedded directly in `homarr/compose.yaml`. The finding was surfaced by the `secret-scan.yml` workflow, which runs Gitleaks scans across the full git history on every push and pull request. The exposure was flagged in a "Heads Up" notice appended to the workflow documentation, signaling that the automated secret detection is functioning as intended but that remediation may be required.

The broader workflow rollout encompasses seven GitHub Actions pipelines targeting the project's twelve Docker stacks. These include YAML syntax and schema validation via `compose-diff.yml`, automated compose misconfiguration scanning with Trivy, weekly image CVE vulnerability checks, and image auditing that flags `:latest` tags and queries Docker Hub for newer versions. The `deploy-notify.yml` workflow also sends Discord embeds on main branch pushes, while `service-inventory.yml` auto-commits updated service documentation whenever compose files change. Together, the pipelines form a layered defense against configuration drift, credential leaks, and outdated dependencies.

The discovery raises immediate pressure on maintainers to assess whether the exposed encryption key has already been pushed to a public or accessible repository, and whether rotation is required. Gitleaks can detect secrets already committed, but it cannot retroactively revoke access if the key has been scraped or used by third parties. The project's adoption of automated secret scanning represents a positive security posture improvement, but the initial catch underscores how easily sensitive values can slip into configuration files during development.