Skip to content

Commit 76beda0

Browse files
authored
Merge pull request #88 from OWASP/ai-findings-autofix/docs-SECURITY.md
Potential fixes for 2 code quality findings
2 parents 92371a8 + 0f8175c commit 76beda0

1 file changed

Lines changed: 13 additions & 5 deletions

File tree

docs/SECURITY.md

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -53,18 +53,26 @@ We will make every effort to respond to your report according to the following t
5353

5454
### API Key Security
5555

56-
DockSec uses OpenAI API keys for AI-powered analysis. To keep your keys secure:
56+
DockSec supports multiple LLM providers (including OpenAI, Anthropic, Google, and Ollama). To keep your provider credentials secure:
5757

5858
1. **Never commit API keys** to version control
5959
```bash
6060
# Use environment variables
61-
export OPENAI_API_KEY="your-key-here"
61+
export OPENAI_API_KEY="your-openai-key"
62+
export ANTHROPIC_API_KEY="your-anthropic-key"
63+
export GOOGLE_API_KEY="your-google-key"
64+
export OLLAMA_API_KEY="your-ollama-key"
6265

6366
# Or use a .env file (ensure it's in .gitignore)
64-
echo "OPENAI_API_KEY=your-key-here" > .env
67+
cat <<EOF > .env
68+
OPENAI_API_KEY=your-openai-key
69+
ANTHROPIC_API_KEY=your-anthropic-key
70+
GOOGLE_API_KEY=your-google-key
71+
OLLAMA_API_KEY=your-ollama-key
72+
EOF
6573
```
6674
67-
2. **Restrict API key permissions** in your OpenAI dashboard
75+
2. **Restrict API key permissions** in each provider dashboard
6876
3. **Rotate keys regularly**, especially if they may have been exposed
6977
4. **Monitor API usage** for unexpected activity
7078
@@ -99,7 +107,7 @@ Ensure your network security policies allow these connections if needed.
99107
100108
### 1. AI Model Limitations
101109
102-
- DockSec uses OpenAI's GPT-4 for analysis
110+
- DockSec supports multiple LLM providers for AI analysis (including OpenAI when configured)
103111
- AI recommendations should be reviewed by security professionals
104112
- AI models can make mistakes or miss vulnerabilities
105113
- Always combine AI analysis with traditional scanning tools

0 commit comments

Comments
 (0)