Skip to content

Commit 80737de

Browse files
committed
docs: add SECURITY.md with GitHub API security and token management
1 parent d9c619b commit 80737de

1 file changed

Lines changed: 121 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 121 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,121 @@
1+
# Security Policy
2+
3+
## Reporting Security Vulnerabilities
4+
5+
**DO NOT** open a public GitHub issue for security vulnerabilities. Instead, please report them responsibly to:
6+
7+
**Email:** security@rethunk.tech
8+
**Response SLA:** We aim to respond to security reports within 24 hours.
9+
10+
When reporting a vulnerability, please include:
11+
- Description of the vulnerability
12+
- Affected component(s) and version(s)
13+
- Steps to reproduce (if applicable)
14+
- Potential impact
15+
- Suggested fix (optional)
16+
17+
## Scope & Risk Profile
18+
19+
`rethunk-github-mcp` is an MCP server that exposes GitHub API operations to LLMs. It has elevated security implications due to API access and batch operations.
20+
21+
### GitHub API Authentication
22+
- **Critical:** Server authenticates with GitHub via personal access token or app credentials
23+
- Tokens must never be embedded in code or logs
24+
- Environment variables (GITHUB_TOKEN) require protection
25+
- Token scopes should be limited to minimum required operations
26+
27+
### API Rate Limiting & Abuse Risk
28+
- **High:** MCP tools batch multiple API calls; potential for rapid rate limit exhaustion
29+
- Tools like `repo_status` and `ecosystem_activity` can execute 10-50+ API calls per invocation
30+
- Implement rate-limit detection and backoff in client code
31+
- Monitor for unusual token usage patterns
32+
33+
### Data Exposure Risk
34+
- **Medium:** Sensitive repo/org data (private repo names, CI logs, secret patterns in code) could be exposed
35+
- All tool outputs should be treated as potentially sensitive
36+
- Do not expose in logs or error messages
37+
- Validate all inputs to prevent API injection attacks
38+
39+
### Cross-Org / Multi-Repo Access
40+
- **High:** Tools operate across multiple repos and orgs if configured
41+
- Ensure token scopes do not exceed intended access
42+
- Validate repo access before returning sensitive data
43+
- Be mindful of PR labels, commit messages, CI logs that may contain secrets
44+
45+
## Security Practices
46+
47+
### Token Management
48+
- Use GitHub Personal Access Tokens (PAT) or App credentials
49+
- Never commit tokens; use environment variables only
50+
- Rotate tokens regularly
51+
- Use minimal scopes (e.g., `repo:read` for read-only tools)
52+
- Monitor token usage via GitHub's audit log
53+
54+
### API Call Safety
55+
- Validate all input parameters (repo names, branch names, etc.)
56+
- Implement exponential backoff for rate limit 429 responses
57+
- Set timeouts on API calls to prevent hanging
58+
- Log API calls (without exposing tokens) for audit trails
59+
60+
### Output Validation
61+
- Do not expose raw GitHub API responses without review
62+
- Sanitize error messages (don't expose token leakage)
63+
- Be mindful of CI logs, commit messages that may contain secrets
64+
- Trim log output if suspiciously long
65+
66+
### Dependency Management
67+
- Keep `octokit` and related GitHub API packages up-to-date
68+
- Run `bun audit` regularly; address high/critical vulnerabilities
69+
- Review major version updates for API contract changes
70+
71+
## Supported Versions
72+
73+
Latest release only.
74+
75+
| Version | Supported |
76+
|---------|-----------|
77+
| 1.0.x | ✅ Yes |
78+
| < 1.0 | ⚠️ Limited|
79+
80+
## Known Vulnerabilities
81+
82+
None currently known. Reports are welcome via security@rethunk.tech.
83+
84+
## Third-Party Security
85+
86+
### GitHub API
87+
- Octokit SDK is official GitHub SDK; generally secure but monitor updates
88+
- Review GitHub API changelog for breaking changes and security fixes
89+
- Be aware of GitHub's own abuse prevention and rate limiting
90+
91+
### Dependencies
92+
- Bun runtime: keep updated for security patches
93+
- octokit/rest, octokit/graphql: official libraries, monitor for updates
94+
- TypeScript: type safety helps prevent runtime issues
95+
96+
## Testing & Validation
97+
98+
- Test tools with read-only tokens before production deployment
99+
- Validate rate limit handling with heavy multi-repo queries
100+
- Test error handling with invalid repos/tokens
101+
- Do not test against production tokens; use a test token with limited access
102+
103+
## Incident Response
104+
105+
If a security vulnerability is discovered:
106+
107+
1. **Report immediately** to security@rethunk.tech (do not disclose publicly)
108+
2. **Include reproduction steps** and affected version(s)
109+
3. **Allow 24-48 hours** for initial response and triage
110+
4. **Coordinate disclosure** timeline if patch is required
111+
5. **Credit will be given** to the reporter (if desired)
112+
113+
## Contact
114+
115+
- **Security Issues:** security@rethunk.tech
116+
- **General Support:** support@rethunk.tech
117+
- **Website:** https://rethunk.tech
118+
119+
---
120+
121+
**Last updated:** 2026-04-27

0 commit comments

Comments
 (0)