Skip to content

Latest commit

 

History

History
142 lines (111 loc) · 3.3 KB

SECURITY_GUIDELINES.md

File metadata and controls

142 lines (111 loc) · 3.3 KB

Security Guidelines for SafeBreach MCP

🚨 Critical: Never Commit Secrets

What NOT to commit:

  • Real API tokens, keys, or passwords
  • Database connection strings with credentials
  • SSH private keys
  • AWS access keys
  • JWT tokens
  • Bearer tokens
  • Any production credentials
  • Internal environment names (e.g., specific console names, internal hostnames)
  • Private development environment files

Safe Placeholder Patterns:

  • your-token-here
  • REPLACE_WITH_ACTUAL_TOKEN
  • <your-api-key>
  • ${API_TOKEN}
  • [TOKEN_PLACEHOLDER]
  • demo-console, prod-console, console-a (for environment names)
  • your-hostname, example-server (for internal systems)

Pre-commit Setup

Install pre-commit hooks to automatically detect secrets:

# Install pre-commit
pip install pre-commit

# Install hooks
pre-commit install

# Test hooks
pre-commit run --all-files

Environment Variables

✅ DO:

# Use environment variables
export SAFEBREACH_API_TOKEN="actual-token"

# Use .env files (but don't commit them)
echo "API_TOKEN=real-token" >> .env

# Use template files
cp .env.template .env
# Edit .env with real values

❌ DON'T:

# DON'T hardcode in source
API_TOKEN = "2OJBRQBdICUDLNg8pVYlOG_-8SlBlzNvCYoh8kGEQso"

# DON'T put in documentation
"Authorization": "Bearer real-token-here"

Documentation Best Practices

Configuration Examples:

{
  "mcpServers": {
    "safebreach": {
      "command": "npx",
      "args": [
        "mcp-remote", 
        "http://server:port/sse",
        "--headers",
        "{\"Authorization\": \"Bearer ${SAFEBREACH_TOKEN}\"}"
      ]
    }
  }
}

Use Variables in Examples:

  • ${TOKEN} for shell examples
  • your-token-here for JSON examples
  • <TOKEN> for XML/HTML examples
  • Always include instructions to replace placeholders

Incident Response

If secrets are accidentally committed:

  1. IMMEDIATE: Revoke the exposed credentials
  2. ASAP: Generate new credentials
  3. Remove from git: git filter-branch or BFG Repo-Cleaner
  4. Force push: Update remote history
  5. Notify team: Alert all developers
  6. Monitor: Check for unauthorized access

Tools for Secret Detection

  • GitLeaks: Detect secrets in git repos
  • detect-secrets: Pre-commit hook for secret detection
  • GitGuardian: Real-time secret scanning
  • TruffleHog: Find secrets in git history
  • git-secrets: AWS git secrets scanner

Code Review Checklist

Before merging any PR:

  • No hardcoded credentials
  • Environment variables used properly
  • Documentation uses placeholders only
  • .env files not committed
  • Pre-commit hooks passing
  • Secret detection tools run clean

Regular Security Audits

Monthly:

  • Rotate API tokens
  • Review git history for secrets
  • Update .gitignore patterns
  • Test pre-commit hooks

Quarterly:

  • Security training for team
  • Review access permissions
  • Update security tools
  • Audit authentication logs

Emergency Contacts

If you discover exposed secrets:

  1. Revoke immediately in the source system
  2. Contact security team: security@company.com
  3. File incident report: Include timeline and impact
  4. Update affected systems: Deploy new credentials

Remember: Prevention is better than remediation. When in doubt, ask the security team!