Source Audit Summary
Date: 2026-04-26 Repos cloned: 10
(see repos-src/) Tools run: trufflehog
(filesystem + git history), gitleaks (filesystem + git history), semgrep
(p/owasp-top-ten + p/security-audit + p/secrets)
Repository inventory
| Repo | Visibility | Contents | Audit result |
|---|---|---|---|
helm |
PUBLIC | Helm charts (corezoid umbrella + 20+ subcharts) | CRZ-009 — 26 secrets in git history, some in current tree |
apigw |
PUBLIC | Helm chart for API gateway deployment | Clean (no secrets, privileged: false set) |
account |
PUBLIC | Helm chart for account service | runAsUser: 0 in init container (legit for cosign
install); nginx configmap OK (semgrep FP on $host in
access_log) |
dbcall |
PUBLIC | Helm chart for dbcall service | Clean |
gitcall |
PUBLIC | Helm chart for gitcall service | Clean |
gitcall-livekit-agent |
Private | Node.js service (LiveKit agent) | Dockerfile missing USER (runs as root) — low severity |
corezoid_ansible_roles |
PUBLIC | Ansible roles for deployment | CRZ-009 — 15 secrets in git history, incl. DB passwords and RSA private keys |
terraform |
Private | Terraform modules (EKS, networking, etc.) | CRZ-009 — 8 argocd tokens in EKS module (possibly examples) |
observability |
Private | Observability stack (Grafana, Loki, Prometheus) | Clean from secret-scan perspective |
corezoid-ai-doc |
PUBLIC | AI/LLM documentation corpus for Corezoid | 18 gitleaks hits (mostly in docs/examples — likely placeholders, need manual review) |
Key observations
The "service" repos on GitHub are actually Helm charts
account, apigw, dbcall,
gitcall are all just Helm charts — actual service source
code is elsewhere (likely git.corezoid.com per the apigw
README references to internal GitLab). This limits the value of
public-code SAST but means the secret hygiene of Helm charts is
critical — it's the only code attackers can see.
Secret-leak systemic pattern
CRZ-009 details 41+ secret-shaped strings across 3 repos. Patterns observed:
- RSA private keys pasted into README files
- AWS Access Key IDs in values.yaml next to empty secretAccessKey slots (indicating the pattern of "commit the ID, inject the secret at deploy" — which still leaks the ID)
- DB passwords in SQL seed files (
add_admin.sql,accounts.sql) - Reused passwords across environments (
I9EmB170XUbeappears in 4 different commits/files) - "demo" keys reused across multiple Ansible roles (corezoid-demo.pem.j2 in 3 places)
Helm hardening opportunities
automountServiceAccountToken: trueas umbrella default (rabbitmq values) — should be false unless specifically neededrunAsUser: 0in 3 places (postgres init, account init, rabbitmq) — 2 are legit init containers, 1 is worth reviewing- Most charts lack explicit
securityContext.readOnlyRootFilesystem: true - No NetworkPolicy templates in the umbrella chart
Semgrep findings
- Account service (Helm): false positive on
$hostin nginx logs (not a security issue) - gitcall-livekit-agent: missing USER directive in Dockerfile — minor hardening recommendation, filed as part of this summary
- All other repos: 0 findings (Helm charts aren't application code, so SAST rules don't apply)
Filed findings
- CRZ-009 — Multiple secrets committed to public GitHub repos
Recommendations for Phase 7 (IaC review)
Now that secrets are catalogued, Phase 7 should focus on:
- Network policy audit — which services are internet-reachable via Ingress, which should be intra-cluster only
- Resource limits — pods without resource limits enable DoS from a single tenant
- Pod Security Standards baseline check (we're running with lax defaults)
- External storage — which PVCs are encrypted, which use default (likely encrypted via EBS default)
- Ingress TLS — are all Ingress resources TLS-terminated? Any plain HTTP exposed?
What's NOT in source
The actual business-logic code for Corezoid (Erlang
middleware, API processors, Simulator business logic) was not accessible
from public GitHub. To audit application-level vulnerabilities (authz,
injection, crypto misuse in actual handlers), would need access to
git.corezoid.com or equivalent internal source.