hllywluis/kekbot.js
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5bc0d983347a9a6b51f6bd85942e96fffc973938
kekbot.js/SECURITY.md
T
hllywluis 9c74e724a8 Initial commit
2025-02-02 14:10:51 -05:00

209 lines
5.1 KiB
Markdown
Raw Blame History

# Security Policy and Best Practices
## Credential Management
### Current Security Measures
- Environment variables for sensitive credentials (Discord token, API keys)
- Git pre-commit hooks to prevent credential exposure
- .gitignore rules for sensitive files
- Test environment using mock credentials
### Cleaning Git History of Credentials
If you need to remove sensitive data from git history, follow these steps carefully:
#### Prerequisites
1. Install git-filter-repo:
```bash
# macOS
brew install git-filter-repo
# Linux
pip3 install git-filter-repo
# Windows
pip install git-filter-repo
```
2. Create a backup of your repository:
```bash
cp -r your-repo your-repo-backup
```
#### Cleaning Process
1. **Prepare Your Repository**
```bash
# Change to your repository directory
cd your-repo
# Create a fresh clone (recommended for cleaning)
git clone --mirror git@github.com:username/your-repo.git repo-mirror
cd repo-mirror
```
2. **Create a Pattern File**
Create a file named `patterns.txt` containing patterns of credentials to remove:
```
# Discord tokens (common patterns)
['"](N[a-zA-Z0-9]{23}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_-]{27})['"]
# API keys
['"](sk-[a-zA-Z0-9]{48}|pk-[a-zA-Z0-9]{48})['"]
# Generic tokens/keys
['"]([a-zA-Z0-9_-]{32,64})['"]
# Add more patterns as needed
```
3. **Clean the Repository**
```bash
# Remove files containing credentials
git filter-repo --invert-paths --paths-from-file patterns.txt
# Clean all refs
git reflog expire --expire=now --all
git gc --prune=now --aggressive
```
4. **Verify the Cleaning**
```bash
# Check for any remaining credentials
git log -p | grep -i -f patterns.txt
```
5. **Update Remote Repository**
```bash
# Force push all branches
git push origin --force --all
# Force push all tags
git push origin --force --tags
```
6. **Update All Local Clones**
For each local clone of the repository:
```bash
# In each local clone
git fetch origin
git reset --hard origin/main # or your default branch
```
#### Important Notes
- This process is irreversible and rewrites git history
- All collaborators must re-clone the repository after cleaning
- Immediately revoke and rotate any exposed credentials
- Old credentials may still exist in:
- GitHub Actions logs
- Issue comments
- Pull request descriptions
- Cached views on GitHub
- Other users' local clones
### Setting Up Environment Variables
1. Create a `.env` file in the project root (this file is automatically ignored by git)
2. Add your credentials using this format:
```
DISCORD_TOKEN=your_discord_token_here
OPENROUTER_API_KEY=your_openrouter_api_key_here
```
3. Never commit the `.env` file to version control
### Development Guidelines
#### DO
- Use environment variables for all sensitive data
- Keep the `.env` file secure and local to your development environment
- Use mock/fake data for tests
- Review code for credential exposure before committing
- Use the pre-commit hook to catch potential credential leaks
#### DON'T
- Hardcode credentials in source code
- Commit `.env` files to version control
- Share credentials through insecure channels
- Disable the pre-commit hook
- Log sensitive information
### Secure Credential Storage
For production environments:
1. Use a secrets management service or secure environment variable storage
2. Rotate credentials regularly
3. Use the principle of least privilege
4. Monitor for unauthorized access
5. Keep backup copies of credentials in a secure location
### What to Do If Credentials Are Exposed
If credentials are accidentally committed:
1. Immediately invalidate and rotate the exposed credentials
2. Use tools like `git-filter-repo` to remove the credentials from git history
3. Force push the cleaned history
4. Notify relevant team members/security personnel
5. Review access logs for potential unauthorized use
### Pre-commit Hook
The project includes a pre-commit hook that scans for potential credentials. The hook:
- Checks staged files for common credential patterns
- Excludes test files and dependencies
- Provides clear error messages if potential credentials are found
To bypass the hook in exceptional cases (NOT RECOMMENDED):
```bash
git commit --no-verify
```
### Continuous Integration
For CI/CD pipelines:
1. Use secure environment variables in CI configuration
2. Never display environment variables in build logs
3. Rotate CI/CD credentials regularly
4. Limit CI/CD service permissions to only what's necessary
### Security Checks
Regular security maintenance:
1. Update dependencies regularly
2. Run security audits (`npm audit`)
3. Review access logs
4. Verify environment variable usage
5. Check git history for any exposed credentials
### Reporting Security Issues
If you discover a security vulnerability:
1. Do NOT open a public issue
2. Contact the maintainers directly
3. Provide detailed information about the vulnerability
4. Allow time for the issue to be addressed before public disclosure
## Additional Resources
- [Node.js Security Best Practices](https://nodejs.org/en/security/)
- [OWASP Secure Coding Practices](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/)
- [Discord Bot Security](https://discord.com/developers/docs/topics/security)
Reference in New Issue View Git Blame Copy Permalink