Commit f17bc07
authored
docs: add secrets and credentials management policy to SECURITY.md (#74)
## Summary
Adds a "Secrets and Credentials Policy" section to SECURITY.md covering:
- **Storage**: env vars only, never hardcoded or committed; `.env` in
`.gitignore`
- **Access**: dedicated BookStack API user with minimum permissions;
separate tokens per environment
- **Rotation**: immediate rotation on suspected exposure; periodic
rotation recommended (90 days); revoke old tokens promptly
- **CI/CD**: no manually stored secrets; only `GITHUB_TOKEN`
(auto-provisioned, scoped, short-lived)
- **Incident response**: rotate first, then report privately
Satisfies OSPS-BR-07.02.
## Test plan
- [ ] SECURITY.md renders correctly on GitHub
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Paradoxbound <paradoxbound@users.noreply.github.com>
Co-authored-by: Paradoxbound <paradoxbound@users.noreply.github.com>1 parent 006bcaf commit f17bc07
1 file changed
Lines changed: 26 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
12 | 38 | | |
13 | 39 | | |
14 | 40 | | |
| |||
0 commit comments