This document outlines security best practices for handling credentials and sensitive information in this project.
- Secret Management
- Environment Configuration
- Incident Response: Exposed Secrets
- Prevention Measures
- Security Checklist
- Reporting Security Issues
-
Never commit secrets to version control
- Tokens, passwords, API keys, and private keys must never be committed
- Even "temporary" commits can persist in git history indefinitely
-
Use environment variables
- Store sensitive configuration in environment variables
- Load from
.envfiles that are excluded from git - See
.auto-claude/.env.examplefor the required variables
-
Treat tokens like passwords
- Do not share tokens via email, chat, or other insecure channels
- Use secure secret sharing tools if transfer is necessary
- Rotate credentials regularly
-
Minimize token scope
- Request only the permissions your application needs
- Use fine-grained tokens when available
- Review and revoke unused tokens periodically
| Type | Pattern | Description |
|---|---|---|
| GitHub PAT (new) | ghp_xxxx |
Personal Access Token |
| GitHub OAuth | gho_xxxx |
OAuth Access Token |
| GitHub App User | ghu_xxxx |
GitHub App User Token |
| GitHub App Server | ghs_xxxx |
GitHub App Server Token |
| GitHub Fine-grained | github_pat_xxxx |
Fine-grained PAT |
| AWS Access Key | AKIA* |
AWS IAM Access Key |
| Private Keys | -----BEGIN * PRIVATE KEY----- |
RSA/EC/SSH Keys |
-
Copy the example file
cp .auto-claude/.env.example .auto-claude/.env
-
Edit with your values
# Use your preferred editor nano .auto-claude/.env -
Verify file is ignored
git check-ignore .auto-claude/.env # Should output: .auto-claude/.env
See .auto-claude/.env.example for the complete list with documentation.
| Variable | Required | Description |
|---|---|---|
GITHUB_TOKEN |
Yes | GitHub OAuth or Personal Access Token |
GITHUB_API_URL |
No | Custom API URL (for GitHub Enterprise) |
GITHUB_REPOSITORY |
No | Repository context (owner/repo format) |
- Never commit
.envfiles - they are ignored by.gitignore - Set restrictive permissions:
chmod 600 .auto-claude/.env - Don't copy
.envbetween environments - create fresh for each - Use different tokens per environment (dev, staging, prod)
If you discover an exposed secret, follow these steps immediately:
For GitHub Tokens:
- Go to https://github.com/settings/tokens
- Find and delete the exposed token
- Verify revocation (see below)
For detailed instructions, see: docs/TOKEN_REVOCATION_GUIDE.md
Use the verification script:
GITHUB_TOKEN="exposed_token_here" ./tools/verify-token-revoked.shOr manually test:
curl -H "Authorization: token <TOKEN>" https://api.github.com/user
# Should return 401 Unauthorized if revokedDetermine how the secret was exposed:
| Exposure Type | Severity | Action Required |
|---|---|---|
| Local file only | Low | Revoke, cleanup |
| Committed to branch (not pushed) | Medium | Revoke, rewrite history |
| Pushed to remote | High | Revoke, force push, notify team |
| Public repository | Critical | Revoke immediately, audit access |
- Remove from files: Replace with placeholder or redact
- Update
.gitignore: Ensure file pattern is excluded - Clean git history (if committed):
# Option 1: BFG Repo Cleaner java -jar bfg.jar --replace-text passwords.txt # Option 2: git filter-repo git filter-repo --replace-text replacements.txt
- Document the incident in build-progress.txt
- Identify how the exposure occurred
- Implement additional prevention measures
- Review and update security practices
This project includes pre-commit hooks for secret detection. Set them up:
# Option A: Using pre-commit framework (recommended)
pip install pre-commit
pre-commit install
# Option B: Standalone bash script
cp tools/pre-commit-secrets.sh .git/hooks/pre-commit
chmod +x .git/hooks/pre-commitFor detailed setup instructions, see: docs/PRECOMMIT_SETUP.md
The .gitignore file is configured to exclude:
- Environment files (
.env,.env.*) - Credential files (
*.credentials,secrets.json) - Private keys (
*.pem,*.key,id_rsa) - Cloud provider credentials
When reviewing pull requests, check for:
- Hardcoded credentials or tokens
- New configuration files that might contain secrets
- Test files with real API keys
- Comments containing sensitive information
Periodically scan the codebase for secrets:
# Using gitleaks
gitleaks detect --source .
# Using detect-secrets
detect-secrets scan- No hardcoded tokens, passwords, or API keys
-
.envfiles are NOT being committed - Test data uses fake/mock credentials
- Pre-commit hooks are installed and passing
- Read this SECURITY.md document
- Copy
.env.exampleto.envand configure - Install pre-commit hooks
- Never share tokens via chat or email
- Check for hardcoded secrets
- Verify sensitive files are in
.gitignore - Ensure new dependencies don't introduce vulnerabilities
- Review any changes to authentication/authorization code
- Rotate tokens quarterly (or more frequently)
- Review and revoke unused tokens
- Audit git history for accidentally committed secrets
- Update dependencies for security patches
If you discover a security vulnerability:
- Do NOT create a public issue
- Document the vulnerability privately
- Contact the maintainers directly
- Allow time for remediation before disclosure
GitHub automatically scans for exposed secrets in public repositories. If you receive a notification:
- Revoke the exposed secret immediately
- Follow the incident response steps above
- Review the commit that triggered the alert
| Document | Description |
|---|---|
| docs/TOKEN_REVOCATION_GUIDE.md | Step-by-step token revocation instructions |
| docs/PRECOMMIT_SETUP.md | Pre-commit hook installation guide |
| .auto-claude/.env.example | Environment configuration template |
| .gitignore | Excluded file patterns |
Document created as part of security remediation task 007 Last updated: 2026-01-01