Secrets, SBOM & image overlap

Where scanners meet.

Advanced12 min · lesson 10 of 12

IaC misconfiguration scanning is one facet of a broader static-analysis space that a security program stitches together. Adjacent scanners: secrets detection (finding a committed AWS key or private key — Checkov, Trivy, gitleaks, detect-secrets all do this), SBOM and dependency scanning (what libraries your app ships and their CVEs), and image scanning (the container courses’ Trivy). They answer different questions, and the modern tools increasingly bundle several.

Layers of static scanning
1IaC misconfig
insecure infra settings
2secrets
committed credentials
3SBOM / deps
vulnerable libraries
4image
OS + package CVEs
Different questions, complementary. Trivy notably spans all four; Checkov covers IaC + secrets. Cover each layer once.

Compose coverage, avoid duplication

Design the program so each question is answered once by a tool you trust: IaC misconfig (Checkov or Trivy config), secrets (one secrets scanner, ideally as a pre-commit hook so they never land), dependencies/SBOM (Trivy fs or a dedicated SCA tool), images (Trivy image at build). Feeding results into one place (SARIF into the code-scanning dashboard) gives a unified view without running everything everywhere. The goal is complete coverage with minimal overlap.

terminal
# secrets as a pre-commit hook so they never reach the repo
$ checkov -d . --framework secrets
$ trivy fs --scanners secret,vuln,misconfig . # three layers, one pass, SARIF out
$ trivy fs --scanners secret,vuln,misconfig -f sarif -o results.sarif .
Secrets scanning is detect-late — prevent too
A secrets scanner that only runs in CI catches a leaked credential after it is already in Git history, where it must be treated as compromised and rotated. Run secrets detection as a pre-commit hook (and server-side push protection) so secrets are blocked before they land, and still scan in CI as a backstop. Detection is necessary; prevention is what actually keeps credentials out of history.