This document outlines security best practices for the Adati project.
The following files should NEVER be committed to the repository:
key.properties- Android signing configuration*.jks,*.keystore- Android keystore fileslocal.properties- Local Android SDK paths*.p12,*.pem- Certificates and private keys*.mobileprovision- iOS provisioning profiles- Any file containing passwords, API keys, or tokens
These files are already listed in .gitignore and .gitattributes for additional protection.
To verify no sensitive files are tracked in git:
git ls-files | grep -iE "(env|key|secret|password|token|credential)"This should return nothing. If it returns files, remove them immediately:
git rm --cached <file>
git commit -m "Remove sensitive file"- Never commit your keystore file (
.jksor.keystore) - Never commit
key.propertieswith real values - Store keystore files in a secure, backed-up location
- Use
key.properties.exampleas a template only
See android/SIGNING.md for detailed signing setup instructions.
- Review before committing: Always review
git statusandgit diffbefore committing - Never hardcode secrets: Never hardcode secrets in source code
- Rotate credentials: If any secret is exposed, rotate it immediately
- Use
.gitattributes: Additional protection layer (already configured) - Regular audits: Periodically check for accidentally committed secrets
If you accidentally commit sensitive information:
- Immediately rotate the exposed credentials
- Remove from git history using:
Or use BFG Repo-Cleaner
git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch <file>" \ --prune-empty --tag-name-filter cat -- --all - Force push (coordinate with team first):
git push origin --force --all
- Notify team members to re-clone the repository
If you discover a security vulnerability, please DO NOT open a public issue. Instead:
- Email the maintainer directly
- Or create a private security advisory on GitHub
We will respond promptly and work with you to resolve the issue.