hllywluis/kekbot.js
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
06ac40a6d7d2b0f32fcaa98744e70e9ba7041868
kekbot.js/SECURITY.md
T
hllywluis 9c74e724a8 Initial commit
2025-02-02 14:10:51 -05:00

5.1 KiB
Raw Blame History

Security Policy and Best Practices

Credential Management

Current Security Measures

  • Environment variables for sensitive credentials (Discord token, API keys)
  • Git pre-commit hooks to prevent credential exposure
  • .gitignore rules for sensitive files
  • Test environment using mock credentials

Cleaning Git History of Credentials

If you need to remove sensitive data from git history, follow these steps carefully:

Prerequisites

  1. Install git-filter-repo:
# macOS
brew install git-filter-repo

# Linux
pip3 install git-filter-repo

# Windows
pip install git-filter-repo
  1. Create a backup of your repository:
cp -r your-repo your-repo-backup

Cleaning Process

  1. Prepare Your Repository
# Change to your repository directory
cd your-repo

# Create a fresh clone (recommended for cleaning)
git clone --mirror git@github.com:username/your-repo.git repo-mirror
cd repo-mirror
  1. Create a Pattern File Create a file named patterns.txt containing patterns of credentials to remove:
# Discord tokens (common patterns)
['"](N[a-zA-Z0-9]{23}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_-]{27})['"]
# API keys
['"](sk-[a-zA-Z0-9]{48}|pk-[a-zA-Z0-9]{48})['"]
# Generic tokens/keys
['"]([a-zA-Z0-9_-]{32,64})['"]
# Add more patterns as needed
  1. Clean the Repository
# Remove files containing credentials
git filter-repo --invert-paths --paths-from-file patterns.txt

# Clean all refs
git reflog expire --expire=now --all
git gc --prune=now --aggressive
  1. Verify the Cleaning
# Check for any remaining credentials
git log -p | grep -i -f patterns.txt
  1. Update Remote Repository
# Force push all branches
git push origin --force --all

# Force push all tags
git push origin --force --tags
  1. Update All Local Clones For each local clone of the repository:
# In each local clone
git fetch origin
git reset --hard origin/main  # or your default branch

Important Notes

  • This process is irreversible and rewrites git history
  • All collaborators must re-clone the repository after cleaning
  • Immediately revoke and rotate any exposed credentials
  • Old credentials may still exist in:
    • GitHub Actions logs
    • Issue comments
    • Pull request descriptions
    • Cached views on GitHub
    • Other users' local clones

Setting Up Environment Variables

  1. Create a .env file in the project root (this file is automatically ignored by git)
  2. Add your credentials using this format:
DISCORD_TOKEN=your_discord_token_here
OPENROUTER_API_KEY=your_openrouter_api_key_here
  1. Never commit the .env file to version control

Development Guidelines

DO

  • Use environment variables for all sensitive data
  • Keep the .env file secure and local to your development environment
  • Use mock/fake data for tests
  • Review code for credential exposure before committing
  • Use the pre-commit hook to catch potential credential leaks

DON'T

  • Hardcode credentials in source code
  • Commit .env files to version control
  • Share credentials through insecure channels
  • Disable the pre-commit hook
  • Log sensitive information

Secure Credential Storage

For production environments:

  1. Use a secrets management service or secure environment variable storage
  2. Rotate credentials regularly
  3. Use the principle of least privilege
  4. Monitor for unauthorized access
  5. Keep backup copies of credentials in a secure location

What to Do If Credentials Are Exposed

If credentials are accidentally committed:

  1. Immediately invalidate and rotate the exposed credentials
  2. Use tools like git-filter-repo to remove the credentials from git history
  3. Force push the cleaned history
  4. Notify relevant team members/security personnel
  5. Review access logs for potential unauthorized use

Pre-commit Hook

The project includes a pre-commit hook that scans for potential credentials. The hook:

  • Checks staged files for common credential patterns
  • Excludes test files and dependencies
  • Provides clear error messages if potential credentials are found

To bypass the hook in exceptional cases (NOT RECOMMENDED):

git commit --no-verify

Continuous Integration

For CI/CD pipelines:

  1. Use secure environment variables in CI configuration
  2. Never display environment variables in build logs
  3. Rotate CI/CD credentials regularly
  4. Limit CI/CD service permissions to only what's necessary

Security Checks

Regular security maintenance:

  1. Update dependencies regularly
  2. Run security audits (npm audit)
  3. Review access logs
  4. Verify environment variable usage
  5. Check git history for any exposed credentials

Reporting Security Issues

If you discover a security vulnerability:

  1. Do NOT open a public issue
  2. Contact the maintainers directly
  3. Provide detailed information about the vulnerability
  4. Allow time for the issue to be addressed before public disclosure

Additional Resources

Reference in New Issue View Git Blame Copy Permalink