Skip to content

Commit f17bc07

Browse files
authored
docs: add secrets and credentials management policy to SECURITY.md (#74)
## Summary Adds a "Secrets and Credentials Policy" section to SECURITY.md covering: - **Storage**: env vars only, never hardcoded or committed; `.env` in `.gitignore` - **Access**: dedicated BookStack API user with minimum permissions; separate tokens per environment - **Rotation**: immediate rotation on suspected exposure; periodic rotation recommended (90 days); revoke old tokens promptly - **CI/CD**: no manually stored secrets; only `GITHUB_TOKEN` (auto-provisioned, scoped, short-lived) - **Incident response**: rotate first, then report privately Satisfies OSPS-BR-07.02. ## Test plan - [ ] SECURITY.md renders correctly on GitHub 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Paradoxbound <paradoxbound@users.noreply.github.com> Co-authored-by: Paradoxbound <paradoxbound@users.noreply.github.com>
1 parent 006bcaf commit f17bc07

1 file changed

Lines changed: 26 additions & 0 deletions

File tree

SECURITY.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,32 @@ Only the latest release is actively maintained with security updates.
99
| 2.6.x | yes |
1010
| < 2.6 | no |
1111

12+
## Secrets and Credentials Policy
13+
14+
### Operator credentials (BOOKSTACK_TOKEN_ID / BOOKSTACK_TOKEN_SECRET)
15+
16+
**Storage:**
17+
- Pass credentials via environment variables only — never hardcode them in source files or configuration checked into version control
18+
- For Docker: use `-e` flags or a secrets manager; never bake tokens into the image
19+
- For local use: store in a `.env` file excluded from git via `.gitignore`; never commit `.env`
20+
21+
**Access:**
22+
- Create a dedicated BookStack API user with the minimum permissions required (read-only unless write operations are needed)
23+
- Do not share tokens across environments (development, staging, production should each have their own token)
24+
25+
**Rotation:**
26+
- Rotate tokens immediately if exposure is suspected
27+
- Rotate tokens periodically as part of routine security hygiene (recommended: every 90 days)
28+
- Revoke old tokens promptly after rotation via BookStack Settings → Users → API Tokens
29+
30+
### CI/CD secrets
31+
32+
This project uses no manually stored CI/CD secrets. The only secret in the pipeline is `GITHUB_TOKEN`, which is auto-provisioned by GitHub Actions for each workflow run with scoped, short-lived credentials, and is automatically revoked when the run completes.
33+
34+
### Reporting exposed credentials
35+
36+
If you discover that credentials have been accidentally committed or exposed, rotate them immediately, then report the incident privately using the process in the [Reporting a Vulnerability](#reporting-a-vulnerability) section below.
37+
1238
## Security Assessment
1339

1440
This section documents the most likely and impactful security risks for this project.

0 commit comments

Comments
 (0)