-
-
Notifications
You must be signed in to change notification settings - Fork 0
Secrets Rotation
Norm Brandinger edited this page Nov 20, 2025
·
1 revision
- Supported Versions
- Reporting a Vulnerability
- Security Best Practices
- Known Security Considerations
- Security Updates
- Security Tools
- Compliance
- Contact
- Acknowledgments
We release security updates for the following versions:
| Version | Supported | Notes |
|---|---|---|
| main | ✅ | Latest development version |
| 1.x.x | ✅ | Current stable release |
| < 1.0 | ❌ | Please upgrade to latest |
Note: This project is intended for local development environments only and is not designed for production deployment. Security considerations are focused on protecting your local development setup.
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
- DO NOT open a public GitHub issue
- DO NOT discuss the vulnerability in public forums
- DO NOT disclose details on social media
Send a detailed report via GitHub Security Advisories:
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the private vulnerability report form
Include in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fixes (if any)
- Your contact information
- Acknowledgment: We will acknowledge your report within 48 hours
- Assessment: We will assess the vulnerability and determine its severity within 5 business days
- Updates: We will provide regular updates on our progress
- Resolution: We will work to resolve critical issues as quickly as possible
- Credit: We will credit you in the fix announcement (unless you prefer to remain anonymous)
| Severity | Initial Response | Resolution Target |
|---|---|---|
| Critical | 24 hours | 7 days |
| High | 48 hours | 14 days |
| Medium | 5 days | 30 days |
| Low | 7 days | 60 days |
Secure Your .env File:
# NEVER commit .env to git
# Ensure .env is in .gitignore
echo ".env" >> .gitignore
# Set restrictive permissions
chmod 600 .env
# Use strong, unique passwords
# Generate secure passwords:
openssl rand -base64 32Critical Variables to Secure:
POSTGRES_PASSWORDMYSQL_ROOT_PASSWORDRABBITMQ_DEFAULT_PASSMONGODB_ROOT_PASSWORDVAULT_DEV_ROOT_TOKEN_ID- Any API keys or tokens
Initial Setup:
# Initialize Vault securely
./devstack.sh vault-init
# Store root token securely
# NEVER commit vault-keys.json to git
chmod 600 configs/vault/vault-keys.json
# Consider using a password manager for token storageVault Token Management:
- Rotate the root token regularly
- Use limited-scope tokens for applications
- Enable audit logging for compliance
- Revoke unused tokens
Port Exposure:
- By default, services are only accessible from
localhost - Only expose services to your network if absolutely necessary
- Use firewall rules to restrict access
- Consider using SSH tunnels for remote access
If Exposing Services:
# Use SSH tunnel instead of direct exposure
ssh -L 5432:localhost:5432 user@remote-host
# Or use VPN for secure accessPostgreSQL:
- Use strong passwords (minimum 16 characters)
- Enable SSL/TLS for all connections
- Limit user privileges (principle of least privilege)
- Regularly backup databases
- Rotate credentials periodically
Redis:
- Enable authentication (requirepass)
- Use TLS for cluster communication
- Disable dangerous commands in production
- Limit network access
MongoDB:
- Enable authentication and authorization
- Use role-based access control (RBAC)
- Enable encryption at rest
- Use TLS for connections
Best Practices:
# Regularly update base images
docker compose pull
# Scan images for vulnerabilities
docker scout cves [image-name]
# Review container logs for suspicious activity
./devstack.sh logs [service]
# Limit container resources to prevent DoS
# (Already configured in docker-compose.yml)Secure Your Backups:
# Create encrypted backups
./devstack.sh backup
# Encrypt backup files
tar -czf - backups/ | openssl enc -aes-256-cbc -e > backups-encrypted.tar.gz.enc
# Store backups securely (off-system)
# Set restrictive permissions
chmod 600 backups-encrypted.tar.gz.encDO:
- Use HashiCorp Vault for secrets
- Rotate secrets regularly
- Use unique secrets per service
- Use environment variables for configuration
- Use
.env.exampleas template (with placeholders)
DON'T:
- Hardcode secrets in scripts or config files
- Commit secrets to version control
- Share secrets via insecure channels (email, Slack, etc.)
- Reuse passwords across services
- Use default or weak passwords
Before Committing:
# Scan for secrets
git secrets --scan
# Check for hardcoded credentials
grep -r "password\|secret\|token\|api_key" --exclude-dir=.git --exclude="*.md"
# Ensure .env is not tracked
git status --ignored
# Review changes
git diffPython Dependencies:
# Check for vulnerabilities
safety check -r requirements.txt
# Update dependencies
pip list --outdatedDocker Images:
# Use specific version tags (not 'latest')
# Verify image signatures when possible
# Scan images with Trivy
trivy image postgres:15-alpineSecurity Checklist:
- No secrets or credentials in code
- No sensitive data in logs or error messages
- Input validation for user-provided data
- Proper error handling (no stack traces to users)
- Security implications documented
- Dependencies are up-to-date
- No new security warnings from linters
Important: This project is designed for local development only. Do NOT use in production:
- Default credentials are documented (for convenience)
- Some services use development mode settings
- SSL/TLS certificates are self-signed
- No advanced hardening is applied
- Audit logging is minimal
- Network isolation is basic
- Uses dev mode by default (data stored in memory)
- Auto-unseal with transit engine (convenience over security)
- Root token stored in plaintext (for development ease)
- Allows connections from Docker network
- SSL mode set to 'prefer' (not 'require')
- Superuser access available
- Password authentication required
- TLS optional (enable for sensitive data)
- No command blacklisting
- Authentication enabled
- No IP whitelisting by default
- Role-based access available
- Watch this repository for security updates
- Review CHANGELOG.md for security fixes
- Subscribe to security advisories for dependencies:
# Update container images
docker compose pull
# Update Colima
brew upgrade colima
# Update Docker
brew upgrade docker docker-compose
# Restart services
./devstack.sh restartSecret Scanning:
- gitleaks - Scan for hardcoded secrets
- truffleHog - Find secrets in git history
- git-secrets - Prevent committing secrets
Vulnerability Scanning:
- Trivy - Container and filesystem scanning
- Docker Scout - Docker image analysis
- Safety - Python dependency scanning
Static Analysis:
- shellcheck - Shell script analysis
- hadolint - Dockerfile linting
This repository includes GitHub Actions workflows for:
- Secret scanning (Gitleaks, TruffleHog)
- Dependency scanning
- Container vulnerability scanning (Trivy)
- Code quality analysis (CodeQL)
- Configuration security checks
Local Development:
- No production data should be used
- Use synthetic/mock data for testing
- Sanitize any real data before importing
- Clear databases when no longer needed
GDPR/Privacy:
- Don't store personally identifiable information (PII)
- Don't use production customer data
- Follow data minimization principles
- Implement data retention policies
For security questions or concerns:
- Security Issues: Use GitHub Security Advisories
- General Questions: Open a GitHub Issue with the "question" label
- Non-Security Bugs: Open a GitHub Issue
We appreciate the security research community and thank all researchers who responsibly disclose vulnerabilities.
Hall of Fame:
Last Updated: 2025-10-23
Version: 1.0