From fd0069036b3d31ba0eb72f3064de6264abf53b66 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 21 Feb 2026 05:29:59 +0000 Subject: [PATCH 1/3] Initial plan From d1b0669dd3da95cafc0269c632350b1241cdd3ac Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 21 Feb 2026 05:32:40 +0000 Subject: [PATCH 2/3] Add Makefile with security checks and update documentation Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com> --- Makefile | 257 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ POLICY.md | 169 +++++++++++++++++++++++++++++++++++ README.md | 35 ++++++++ 3 files changed, 461 insertions(+) create mode 100644 Makefile diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..3c669aa --- /dev/null +++ b/Makefile @@ -0,0 +1,257 @@ +# BUIP Repository Makefile +# This Makefile provides targets for common development tasks, security checks, and repository management + +.PHONY: help install lint validate security clean all test apply-rulesets check-secrets + +# Default target - show help +help: + @echo "BUIP Repository Makefile" + @echo "=======================" + @echo "" + @echo "Available targets:" + @echo " help - Show this help message" + @echo " install - Install all dependencies (Node.js, Python)" + @echo " lint - Lint markdown files" + @echo " validate - Validate repository structure" + @echo " check-secrets - Scan for accidentally committed secrets and sensitive data" + @echo " security - Run all security checks" + @echo " test - Run all validation and security tests" + @echo " all - Run install, lint, validate, and security" + @echo " clean - Clean temporary files and caches" + @echo " apply-rulesets - Display instructions for applying GitHub rulesets" + @echo "" + @echo "Security targets:" + @echo " check-keys - Check for private keys in repository" + @echo " check-tokens - Check for API tokens and secrets" + @echo " check-emails - Check for email addresses that might be sensitive" + @echo " check-perms - Check file permissions" + @echo "" + @echo "Documentation:" + @echo " See README.md for usage information" + @echo " See POLICY.md for contribution guidelines and security policies" + @echo " See .github/IMPLEMENTATION_GUIDE.md for workflow and ruleset setup" + +# Install dependencies +install: + @echo "Installing dependencies..." + @if [ -f "package.json" ]; then \ + echo "Installing Node.js dependencies..."; \ + npm install; \ + else \ + echo "No package.json found, skipping Node.js dependencies"; \ + fi + @if [ -f "requirements.txt" ]; then \ + echo "Installing Python dependencies..."; \ + pip install -r requirements.txt; \ + else \ + echo "No requirements.txt found, skipping Python dependencies"; \ + fi + @echo "✓ Installation complete" + +# Lint markdown files +lint: + @echo "Linting markdown files..." + @command -v markdownlint >/dev/null 2>&1 || { \ + echo "Installing markdownlint-cli..."; \ + npm install -g markdownlint-cli; \ + } + @markdownlint '**/*.md' --ignore node_modules --ignore .git || true + @echo "✓ Markdown linting complete" + +# Validate repository structure +validate: + @echo "Validating repository structure..." + @echo "" + @echo "Checking for required files..." + @test -f README.md && echo "✓ README.md exists" || echo "⚠ WARNING: README.md not found" + @test -f LICENSE && echo "✓ LICENSE exists" || echo "⚠ WARNING: LICENSE not found" + @test -f PRIVACY.md && echo "✓ PRIVACY.md exists" || echo "⚠ WARNING: PRIVACY.md not found" + @test -f POLICY.md && echo "✓ POLICY.md exists" || echo "⚠ WARNING: POLICY.md not found" + @test -f .gitignore && echo "✓ .gitignore exists" || echo "⚠ WARNING: .gitignore not found" + @test -f Makefile && echo "✓ Makefile exists" || echo "⚠ WARNING: Makefile not found" + @echo "" + @echo "Counting BUIP files..." + @buip_count=$$(ls -1 [0-9][0-9][0-9].md 2>/dev/null | wc -l); \ + echo "Found $$buip_count BUIP files" + @echo "" + @echo "Checking GitHub configuration..." + @test -d .github/workflows && echo "✓ GitHub workflows directory exists" || echo "⚠ WARNING: .github/workflows not found" + @test -d .github/rulesets && echo "✓ GitHub rulesets directory exists" || echo "⚠ WARNING: .github/rulesets not found" + @echo "" + @echo "✓ Repository structure validation complete" + +# Check for private keys (CRITICAL - will fail if found) +check-keys: + @echo "Checking for private keys..." + @if grep -rE "BEGIN.*PRIVATE KEY" --include="*.md" --include="*.txt" --include="*.key" --include="*.pem" . 2>/dev/null | grep -v ".github/security-patterns.yml"; then \ + echo "❌ ERROR: Private key found in repository!"; \ + echo "Private keys should NEVER be committed to version control."; \ + echo "Please remove the private key immediately and rotate it."; \ + exit 1; \ + else \ + echo "✓ No private keys found"; \ + fi + +# Check for API tokens and secrets +check-tokens: + @echo "Checking for API tokens and secrets..." + @findings=0; \ + if grep -rE 'gh[ps]_[a-zA-Z0-9]{36}' --include="*.md" --include="*.txt" --include="*.yml" --include="*.yaml" --include="*.json" . 2>/dev/null | grep -v ".github/security-patterns.yml"; then \ + echo "❌ ERROR: GitHub token detected!"; \ + findings=$$((findings + 1)); \ + fi; \ + if grep -rE '(api[_-]?key|token|password|secret)["\s:=]+[a-zA-Z0-9_-]{20,}' --include="*.md" --include="*.txt" --include="*.yml" --include="*.yaml" . 2>/dev/null | grep -v ".github/security-patterns.yml" | grep -v "Makefile"; then \ + echo "⚠ WARNING: Potential secrets found - please review"; \ + findings=$$((findings + 1)); \ + fi; \ + if [ $$findings -eq 0 ]; then \ + echo "✓ No obvious tokens or secrets found"; \ + else \ + echo "Found $$findings potential security issues - please review"; \ + fi + +# Check for email addresses that might be sensitive +check-emails: + @echo "Checking for email addresses..." + @if grep -rEh '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' --include="*.md" . 2>/dev/null | \ + grep -v -E '(example\.(com|org|net)|github\.com|bitcoinunlimited\.(info|net|org)|bitco\.in|noreply\.github\.com)' | head -5; then \ + echo "⚠ WARNING: Email addresses found - verify they should be public"; \ + else \ + echo "✓ No concerning email addresses found"; \ + fi + +# Check file permissions +check-perms: + @echo "Checking file permissions..." + @echo "" + @echo "Checking for executable files..." + @executable_files=$$(find . -type f -executable -not -path "./.git/*" -not -path "./node_modules/*" 2>/dev/null || true); \ + if [ -n "$$executable_files" ]; then \ + echo "⚠ WARNING: Executable files found:"; \ + echo "$$executable_files"; \ + else \ + echo "✓ No unexpected executable files found"; \ + fi + @echo "" + @echo "Checking for world-writable files..." + @unusual_perms=$$(find . -type f \( -perm -002 -o -perm -020 \) -not -path "./.git/*" 2>/dev/null || true); \ + if [ -n "$$unusual_perms" ]; then \ + echo "⚠ WARNING: Files with unusual permissions found:"; \ + echo "$$unusual_perms"; \ + else \ + echo "✓ File permissions look good"; \ + fi + +# Scan for accidentally committed secrets (comprehensive check) +check-secrets: check-keys check-tokens + @echo "" + @echo "Additional security checks..." + @echo "" + @echo "Checking .gitignore coverage..." + @if [ -f ".gitignore" ]; then \ + echo "✓ .gitignore file exists"; \ + echo "Verifying key patterns are in .gitignore:"; \ + grep -q "*.key" .gitignore && echo " ✓ *.key pattern found" || echo " ⚠ *.key pattern not found"; \ + grep -q "*.pem" .gitignore && echo " ✓ *.pem pattern found" || echo " ⚠ *.pem pattern not found"; \ + grep -q ".env" .gitignore && echo " ✓ .env pattern found" || echo " ⚠ .env pattern not found"; \ + grep -q "secret" .gitignore && echo " ✓ secret pattern found" || echo " ⚠ secret pattern not found"; \ + else \ + echo "❌ ERROR: .gitignore file not found!"; \ + fi + @echo "" + @echo "Checking for sensitive file extensions..." + @sensitive_files=$$(find . -type f \( -name "*.key" -o -name "*.pem" -o -name "*.p12" -o -name "*.pfx" -o -name ".env" -o -name "wallet.dat" \) -not -path "./.git/*" 2>/dev/null || true); \ + if [ -n "$$sensitive_files" ]; then \ + echo "❌ ERROR: Sensitive files found in repository:"; \ + echo "$$sensitive_files"; \ + echo "These files should be removed and added to .gitignore!"; \ + exit 1; \ + else \ + echo "✓ No sensitive file types found"; \ + fi + @echo "" + @echo "✓ Secret scanning complete" + +# Run all security checks +security: check-secrets check-emails check-perms + @echo "" + @echo "═══════════════════════════════════════" + @echo "Security scan complete!" + @echo "═══════════════════════════════════════" + @echo "" + @echo "Remember:" + @echo " • Never commit private keys or credentials" + @echo " • Use environment variables for sensitive config" + @echo " • Review .gitignore regularly" + @echo " • Enable GitHub secret scanning" + @echo " • See POLICY.md for security guidelines" + +# Run all tests +test: lint validate security + @echo "" + @echo "═══════════════════════════════════════" + @echo "All tests complete!" + @echo "═══════════════════════════════════════" + +# Run everything +all: install lint validate security + @echo "" + @echo "═══════════════════════════════════════" + @echo "All tasks complete!" + @echo "═══════════════════════════════════════" + +# Clean temporary files +clean: + @echo "Cleaning temporary files..." + @rm -rf node_modules 2>/dev/null || true + @rm -rf .cache 2>/dev/null || true + @rm -rf __pycache__ 2>/dev/null || true + @rm -rf *.pyc 2>/dev/null || true + @rm -rf .pytest_cache 2>/dev/null || true + @rm -rf .tox 2>/dev/null || true + @rm -rf dist 2>/dev/null || true + @rm -rf build 2>/dev/null || true + @rm -rf *.egg-info 2>/dev/null || true + @find . -name ".DS_Store" -delete 2>/dev/null || true + @find . -name "Thumbs.db" -delete 2>/dev/null || true + @find . -name "*.tmp" -delete 2>/dev/null || true + @echo "✓ Cleanup complete" + +# Display instructions for applying GitHub rulesets +apply-rulesets: + @echo "GitHub Rulesets Application Instructions" + @echo "========================================" + @echo "" + @echo "This repository includes pre-configured rulesets for enhanced security:" + @echo "" + @echo "1. Main Branch Protection (.github/rulesets/main-branch-protection.json)" + @echo " - Requires pull request reviews" + @echo " - Requires status checks to pass" + @echo " - Prevents force pushes and requires linear history" + @echo " - Requires commit signatures" + @echo "" + @echo "2. Tag Protection (.github/rulesets/tag-protection.json)" + @echo " - Protects version tags (v*)" + @echo " - Protects release tags (release-*)" + @echo " - Prevents unauthorized tag modifications" + @echo "" + @echo "To apply these rulesets:" + @echo "" + @echo "Option A - GitHub Web Interface (Recommended):" + @echo " 1. Go to: Settings → Rules → Rulesets" + @echo " 2. Click: New ruleset" + @echo " 3. Follow the configuration in .github/rulesets/README.md" + @echo "" + @echo "Option B - GitHub CLI:" + @echo " gh api repos/\$${OWNER}/\$${REPO}/rulesets --method POST --input .github/rulesets/main-branch-protection.json" + @echo " gh api repos/\$${OWNER}/\$${REPO}/rulesets --method POST --input .github/rulesets/tag-protection.json" + @echo "" + @echo "For detailed instructions, see:" + @echo " • .github/rulesets/README.md" + @echo " • .github/IMPLEMENTATION_GUIDE.md" + @echo "" + @echo "Security best practices:" + @echo " • Review rulesets before applying" + @echo " • Test on a non-production branch first" + @echo " • Ensure CI/CD workflows are configured" + @echo " • Communicate changes to contributors" diff --git a/POLICY.md b/POLICY.md index 7b2e6f8..0efcdfa 100644 --- a/POLICY.md +++ b/POLICY.md @@ -142,6 +142,175 @@ Security updates apply to: - Referenced implementations - Repository infrastructure +### Key Management and Sensitive Data Protection + +**CRITICAL: Never commit sensitive data to the repository** + +#### Protected Information Types + +The following types of information must **NEVER** be committed to the repository: + +1. **Private Keys and Credentials** + - Private cryptographic keys (RSA, ECDSA, Ed25519, etc.) + - SSH private keys + - Bitcoin or cryptocurrency wallet private keys + - PGP/GPG private keys + - SSL/TLS private certificates + +2. **API Keys and Tokens** + - GitHub personal access tokens + - API keys for any service + - OAuth tokens + - Access tokens + - Secret keys + +3. **Passwords and Authentication** + - Hardcoded passwords + - Database credentials + - Service account credentials + - Authentication tokens + +4. **Configuration Files with Secrets** + - `.env` files with real credentials + - `config` files with production secrets + - Cloud provider credential files + - Service account JSON files + +#### Safe Practices for Sensitive Data + +1. **Use Environment Variables** + ```bash + # Good: Use environment variables + export API_KEY="your-secret-key" + + # Bad: Hardcode in files + API_KEY="your-secret-key" # NEVER DO THIS + ``` + +2. **Use .gitignore Properly** + - The repository includes a comprehensive `.gitignore` file + - Review it regularly to ensure all sensitive patterns are covered + - Test with `git status` before committing + +3. **Use Example/Template Files** + ```bash + # Commit templates, not actual secrets + .env.example # ✓ Commit this + .env # ✗ Never commit this + config.sample # ✓ Commit this + config.local # ✗ Never commit this + ``` + +4. **Automated Security Scanning** + + Use the provided Makefile for security checks: + + ```bash + # Check for accidentally committed secrets before pushing + make check-secrets + + # Check for private keys (will fail if found) + make check-keys + + # Check for API tokens + make check-tokens + + # Run all security checks + make security + ``` + +5. **GitHub Secret Scanning** + - Enable GitHub's secret scanning in repository settings + - Enable push protection to prevent accidental commits + - Review and remediate any detected secrets immediately + +6. **If You Accidentally Commit a Secret** + + **IMMEDIATE ACTIONS REQUIRED:** + + a. **Rotate the Secret Immediately** + - Revoke the exposed key/token/password + - Generate a new one + - Update all systems using the old secret + + b. **Remove from Git History** + ```bash + # Use git-filter-repo (recommended) or BFG Repo-Cleaner + # DO NOT use git filter-branch (deprecated) + + # Example with git-filter-repo: + git filter-repo --path-glob '*secret*' --invert-paths + ``` + + c. **Force Push** (coordinate with team first) + ```bash + git push --force-with-lease + ``` + + d. **Notify Security Team** + - Contact maintainers immediately + - Document the incident + - Review access logs if applicable + +#### Pre-commit Security Checks + +Before committing any code, run: + +```bash +# Quick security check +make check-secrets + +# Full validation +make test +``` + +Consider setting up a git pre-commit hook: + +```bash +# Create .git/hooks/pre-commit +#!/bin/bash +make check-secrets || exit 1 +``` + +#### Repository Rulesets for Security + +The repository includes GitHub rulesets that enforce security best practices: + +1. **Main Branch Protection** (`.github/rulesets/main-branch-protection.json`) + - Requires pull request reviews + - Requires all status checks (including security scans) to pass + - Prevents force pushes + - Requires signed commits (recommended) + +2. **Tag Protection** (`.github/rulesets/tag-protection.json`) + - Protects version tags from unauthorized changes + - Prevents tag deletion + +To apply these rulesets, see: +- `.github/rulesets/README.md` for detailed instructions +- `.github/IMPLEMENTATION_GUIDE.md` for step-by-step setup +- Or run: `make apply-rulesets` for quick instructions + +#### Security Scanning in CI/CD + +The repository's GitHub Actions workflows automatically: +- Scan for secrets in markdown and documentation files +- Check for private keys +- Validate file permissions +- Review dependencies for vulnerabilities +- Check for large or unusual files + +See `.github/workflows/security.yml` for details. + +#### Training and Awareness + +All contributors should: +- Understand what constitutes sensitive data +- Know how to use environment variables and secret management +- Use the security tools provided (Makefile, workflows) +- Report security concerns immediately +- Never share credentials via chat, email, or comments + ## Branch Protection ### Main Branch Protection diff --git a/README.md b/README.md index 7cd576b..f7250e9 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,41 @@ documentation. - 🔧 [Workflows](.github/workflows/README.md) - Automated CI/CD with self-hosted runners - 🛡️ [Security](.github/IMPLEMENTATION_GUIDE.md) - Repository protection and rulesets +## Development Tools + +This repository includes a `Makefile` for common development tasks and security checks: + +```bash +# Show all available commands +make help + +# Validate repository structure +make validate + +# Run markdown linting +make lint + +# Check for accidentally committed secrets and sensitive data +make check-secrets + +# Run all security checks +make security + +# Run all tests (lint, validate, security) +make test + +# Run everything (install dependencies, lint, validate, security) +make all +``` + +**Key Security Features:** +- 🔍 Automated scanning for private keys, API tokens, and secrets +- 🛡️ File permission checks +- ✅ .gitignore validation for sensitive file patterns +- 📧 Email address detection and review + +For more details, run `make help` or see the [Security Policy](POLICY.md#security-policy). + ## Submitting a BUIP To submit a BUIP please post your proposal at From abf911aa549f6bd0c437fcd0c83a694e62c29bca Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 21 Feb 2026 05:34:11 +0000 Subject: [PATCH 3/3] Address code review feedback - improve security patterns and examples Co-authored-by: Kushmanmb <193178375+Kushmanmb@users.noreply.github.com> --- Makefile | 4 ++-- POLICY.md | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 3c669aa..f666ae3 100644 --- a/Makefile +++ b/Makefile @@ -96,11 +96,11 @@ check-keys: check-tokens: @echo "Checking for API tokens and secrets..." @findings=0; \ - if grep -rE 'gh[ps]_[a-zA-Z0-9]{36}' --include="*.md" --include="*.txt" --include="*.yml" --include="*.yaml" --include="*.json" . 2>/dev/null | grep -v ".github/security-patterns.yml"; then \ + if grep -rE 'gh[ps]_[a-zA-Z0-9]{36,}' --include="*.md" --include="*.txt" --include="*.yml" --include="*.yaml" --include="*.json" . 2>/dev/null | grep -v ".github/security-patterns.yml"; then \ echo "❌ ERROR: GitHub token detected!"; \ findings=$$((findings + 1)); \ fi; \ - if grep -rE '(api[_-]?key|token|password|secret)["\s:=]+[a-zA-Z0-9_-]{20,}' --include="*.md" --include="*.txt" --include="*.yml" --include="*.yaml" . 2>/dev/null | grep -v ".github/security-patterns.yml" | grep -v "Makefile"; then \ + if grep -rE '(api[_-]?key|token|password|secret)["\s:=]+[a-zA-Z0-9_-]{20,}' --include="*.md" --include="*.txt" --include="*.yml" --include="*.yaml" . 2>/dev/null | grep -v ".github/security-patterns.yml" | grep -v "POLICY.md"; then \ echo "⚠ WARNING: Potential secrets found - please review"; \ findings=$$((findings + 1)); \ fi; \ diff --git a/POLICY.md b/POLICY.md index 0efcdfa..8762f66 100644 --- a/POLICY.md +++ b/POLICY.md @@ -180,11 +180,13 @@ The following types of information must **NEVER** be committed to the repository 1. **Use Environment Variables** ```bash - # Good: Use environment variables - export API_KEY="your-secret-key" + # Good: Load from a secure source + export API_KEY=$(cat ~/.secrets/api_key) + # Or use a secure environment manager + source ~/.env.secure # Bad: Hardcode in files - API_KEY="your-secret-key" # NEVER DO THIS + API_KEY="sk-1234567890abcdef" # NEVER DO THIS ``` 2. **Use .gitignore Properly**