Version 1.0.0 will be supported with security updates.
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Secrets must never be committed to git, even in private repositories:
- Database credentials
- API keys and tokens (GitHub, AWS, Stellar, etc.)
- Private keys and certificates
- Webhook signing keys
- OAuth client secrets
All credentials must be stored in environment variables or secure secret management systems:
- Local development: Use
.envfiles (never commit.env) - CI/CD: Use GitHub Secrets or your CI provider's secret management
- Production: Use a dedicated secret manager (e.g., HashiCorp Vault, AWS Secrets Manager)
Example:
# ❌ WRONG
const apiKey = "sk_test_123abc...";
# ✓ CORRECT
const apiKey = process.env.STELLAR_API_KEY;
if (!apiKey) throw new Error("STELLAR_API_KEY not set");If a secret is accidentally committed:
- Revoke immediately — Invalidate the compromised credential in its issuing service
- Rotate — Generate and deploy a new credential
- Audit — Check logs for unauthorized use during the exposure window
- Communicate — Notify security stakeholders and affected systems
- Remove from history — Use
git filter-repoorBFGto purge from git history (if acceptable for your workflow)
If detect-secrets flags a legitimate value (e.g., a test token), add it to the baseline:
detect-secrets scan > .secrets.baselineThen manually review and commit the updated baseline:
git add .secrets.baseline
git commit -m "chore: update detect-secrets baseline"Scan your working directory for secrets before pushing:
# Install
pip install trufflesecurity
# Scan current branch against main
trufflehog git file://. --only-verified --base main --head HEAD
# Scan a specific directory
trufflehog filesystem . --only-verifiedTo report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.