Skip to main content

Source: ebisu/SECURITY.md | ✏️ Edit on GitHub

Security Guidelines for Ebisu

Critical Security Rules

1. NEVER USE SECRETS IN CODE OR SCRIPTS

  • NO hardcoded passwords, API keys, or tokens in any files
  • NO real credentials in examples or documentation
  • NO secrets in Git history

2. Environment Variables

All sensitive configuration must use environment variables:

# Good ✅
export POSTGRES_PASSWORD="${POSTGRES_PASSWORD}"
DATABASE_URL="postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}"

# Bad ❌
export POSTGRES_PASSWORD="ebisu_password"
DATABASE_URL="postgresql://ebisu_user:ebisu_password@localhost:5433/ebisu"

3. Local Development Setup

  1. Copy .env.example to .env:

    cp .env.example .env

  2. Update .env with your actual values:

    # Edit .env and set secure passwords
    POSTGRES_PASSWORD=your_secure_password_here

  3. Source environment before running scripts:

    source .env
    docker-compose up -d

4. Docker Security

Docker Compose uses environment variables:

  • ${POSTGRES_USER:-default} format provides defaults for development
  • Production deployments MUST override all defaults
  • Never commit .env files to Git

5. Import Scripts

All import scripts must:

  • Use environment variables for credentials
  • Never log sensitive information
  • Validate inputs to prevent injection

6. Git Security

Add to .gitignore:

.env
.env.*
!.env.example
*.pem
*.key
*.cert

7. Code Review Checklist

Before approving any PR:

  • No hardcoded credentials
  • No sensitive data in logs
  • Environment variables used correctly
  • .env files not committed
  • Examples use placeholder values

8. Production Deployment

  • Use secret management systems (AWS Secrets Manager, Vault, etc.)
  • Rotate credentials regularly
  • Use least-privilege database users
  • Enable SSL/TLS for all connections
  • Audit access logs regularly

Incident Response

If credentials are exposed:

  1. Rotate all affected credentials immediately
  2. Audit logs for unauthorized access
  3. Remove secrets from Git history using BFG Repo-Cleaner
  4. Notify security team
  5. Document incident and lessons learned