GitHub Community
CODE SECURITY QUESTIONS (Bus Website System) #176596
-
Select Topic AreaQuestion Body
Our Bus Website System connects to external APIs for payments and uses a MariaDB database. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
To ensure that API keys, database credentials, and tokens are never exposed in commits or logs, we follow strict secret management and prevention practices: Use Environment Variables & Secret Managers Store all sensitive data (API keys, DB passwords, tokens) in environment variables, never hardcoded in the source code. For deployment, use GitHub Actions Secrets, AWS Secrets Manager, or HashiCorp Vault to store credentials securely. Developers use a local .env file (ignored by Git) and a public .env.example template for reference. Prevent Leaks in Git Commits Add .env, config files, and credential folders to the .gitignore file. Use pre-commit hooks (like git-secrets or detect-secrets) to block commits containing secret patterns. Enable GitHub secret scanning and push protection, which automatically scans commits and PRs for exposed secrets. Protect Secrets in Logs & Frontend Never print credentials or tokens in console logs or API responses. Mask secrets in CI/CD logs using GitHub’s built-in *** masking feature. Do not expose environment variables to the React frontend unless they are safe for public access (prefix with VITE_ or similar). Incident Response for Leaked Secrets Immediately revoke or rotate the exposed credentials (e.g., regenerate API keys, change DB passwords). Purge the secret from Git history using git filter-repo or BFG Repo-Cleaner, then force-push the cleaned history. Run GitHub Secret Scanning again to verify removal and record the incident for auditing. Ongoing Monitoring & Education Schedule regular audits of GitHub repositories for accidental exposures. Train all developers on proper secret handling and rotation policies. |
Beta Was this translation helpful? Give feedback.
To ensure that API keys, database credentials, and tokens are never exposed in commits or logs, we follow strict secret management and prevention practices:
Use Environment Variables & Secret Managers
Store all sensitive data (API keys, DB passwords, tokens) in environment variables, never hardcoded in the source code.
For deployment, use GitHub Actions Secrets, AWS Secrets Manager, or HashiCorp Vault to store credentials securely.
Developers use a local .env file (ignored by Git) and a public .env.example template for reference.
Prevent Leaks in Git Commits
Add .env, config files, and credential folders to the .gitignore file.
Use pre-commit hooks (like git-secrets or detect-secrets) to …