This document outlines security practices, supported versions, and how to responsibly report security issues related to this repository.
This repository manages:
- Cross-platform dotfiles using chezmoi
- System provisioning with Ansible
- Bootstrap scripts for Windows, macOS, Linux, and WSL
- Secrets handling using Ansible Vault and chezmoi secrets
- Automation for developer tooling, fonts, terminals, and security hardening
Security is a first-class concern across all layers.
Only the main branch is actively supported.
| Version | Supported |
|---|---|
main |
β Yes |
| older commits | β No |
Always pull the latest changes before reporting issues.
This repository never stores secrets in plaintext.
-
Ansible Vault
- Used for provisioning credentials, tokens, and keys
- Stored under
secrets/ansible-vault/
-
chezmoi secrets
- Used for dotfile-level secrets
- Encrypted locally and never committed in plaintext
- β Hardcoded secrets in playbooks or scripts
- β Secrets committed to Git, even temporarily
- β Credentials embedded in CI logs
If a secret is accidentally committed:
- Rotate it immediately
- Remove it from Git history
- Report the incident following the steps below
-
TLS required for all remote services where applicable
-
WinRM uses HTTPS only
-
Certificates must be:
- RSA 2048-bit or higher
- Valid SAN entries
- Automatically rotated where supported
Weak or deprecated algorithms are intentionally avoided.
-
CI pipelines must run without interactive secrets
-
Secrets are injected via secure environment variables only
-
All scripts are designed to be:
- Idempotent
- Non-destructive
- Safe to re-run
This repository assumes:
- Machines may be rebuilt frequently
- Local machines may be compromised
- Configuration must be reproducible and auditable
- Secrets must remain protected even if dotfiles are public
Design choices prioritize least privilege, defense in depth, and zero trust by default.
If you discover a security issue:
Instead:
-
Send a private report via email or GitHub Security Advisory
-
Include:
- Description of the issue
- Affected files or modules
- Steps to reproduce (if safe)
- Potential impact
You will receive an acknowledgment within 48 hours.
Once a report is received:
- Issue is triaged and validated
- A fix is developed privately
- Patch is released to
main - Advisory is published if appropriate
Responsible disclosure is appreciated.
- Run
ansible-lintbefore submitting changes - Avoid
shelltasks unless absolutely required - Prefer native Ansible modules
- Never log secrets
- Validate user input in scripts
- Use explicit paths and strict modes in shell scripts
- Ansible Security Guide https://docs.ansible.com/ansible/latest/security.html
- chezmoi Security Model https://www.chezmoi.io/user-guide/security/
- OWASP Secure Coding Practices https://owasp.org/www-project-secure-coding-practices/
This security policy is provided under the MIT License and applies only to this repository.