Skip to content
This repository was archived by the owner on Apr 17, 2026. It is now read-only.

Security: sodal-project/github-package

Security

SECURITY.md

Security Best Practices for Handling Secrets

Overview

This document outlines best practices for handling sensitive information such as API keys, private keys, and other secrets in the GitHub Package project.

Never Store Secrets in Documentation or Code

  • NEVER include actual secrets, private keys, or credentials in:

    • Documentation files (README.md, setup guides, etc.)
    • Source code files
    • Comments
    • Example files

  • Always use placeholders in documentation, such as:

    GITHUB_APP_ID=your_app_id
GITHUB_PRIVATE_KEY=your_private_key_content
GITHUB_INSTALLATION_ID=your_installation_id

Environment Variables Best Practices

  1. Use .env files for local development

    • Store secrets in .env files for local development
    • Ensure .env files are listed in .gitignore (they are in this project)
    • Consider using .env.example with placeholders as a template

  2. Format multi-line secrets properly

    • When storing multi-line secrets like private keys in .env files, replace newlines with \n:
    GITHUB_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEA...\n-----END RSA PRIVATE KEY-----

  3. Rotate secrets regularly

    • Rotate GitHub tokens and other credentials periodically
    • Update environment variables after rotation

Deployment Security

  1. Use environment variables in production

    • Set environment variables directly in your deployment platform
    • Use secrets management services when available:
      • Google Cloud Secret Manager
      • AWS Secrets Manager
      • Azure Key Vault

  2. Use service accounts when possible

    • Prefer service accounts over personal credentials
    • Limit permissions to only what's needed

  3. Secure CI/CD pipelines

    • Use encrypted secrets in CI/CD pipelines
    • Never log or expose secrets during builds

Handling Private Keys

  1. Store private key files securely

    • Keep private key files outside the project directory
    • Use absolute paths to reference them
    • Consider using a secrets manager

  2. Format private keys correctly

    • When using private keys in environment variables, ensure proper formatting:
    • Replace all newlines with \n
    • Include the BEGIN and END lines
    • Example:
    GITHUB_PRIVATE_KEY=-----BEGIN RSA PRIVATE KEY-----\nMIIE...\n-----END RSA PRIVATE KEY-----

Detecting and Responding to Exposed Secrets

  1. Monitor for exposed secrets

    • Use tools like GitGuardian or GitHub secret scanning
    • Regularly audit code and documentation

  2. If secrets are exposed:

    • Immediately revoke and rotate the exposed credentials
    • Remove the secret from the repository history if possible
    • Document the incident and improve processes

Additional Resources

There aren't any published security advisories