oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
f353e0017283307942d157f4b2fdc07b659615c5
aitbc/config/security/secret-validation.yaml
oib f353e00172 chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements 
- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration
- Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage
- Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
2026-03-03 10:33:46 +01:00

74 lines
1.8 KiB
YAML
Raw Blame History

# Secret Validation Rules
# Defines which environment variables must use secret references
production_secrets:
coordinator:
required_secrets:
- pattern: "DATABASE_URL"
secret_ref: "db-credentials"
validation: "postgresql://"
- pattern: "ADMIN_API_KEY"
secret_ref: "api-keys:admin"
validation: "^[a-zA-Z0-9]{32,}$"
- pattern: "CLIENT_API_KEY"
secret_ref: "api-keys:client"
validation: "^[a-zA-Z0-9]{32,}$"
- pattern: "ENCRYPTION_KEY"
secret_ref: "security-keys:encryption"
validation: "^[a-fA-F0-9]{64}$"
- pattern: "HMAC_SECRET"
secret_ref: "security-keys:hmac"
validation: "^[a-fA-F0-9]{64}$"
- pattern: "JWT_SECRET"
secret_ref: "security-keys:jwt"
validation: "^[a-fA-F0-9]{64}$"
- pattern: "OPENAI_API_KEY"
secret_ref: "external-services:openai"
validation: "^sk-"
- pattern: "SENTRY_DSN"
secret_ref: "monitoring:sentry"
validation: "^https://"
wallet_daemon:
required_secrets:
- pattern: "COORDINATOR_API_KEY"
secret_ref: "api-keys:coordinator"
validation: "^[a-zA-Z0-9]{32,}$"
forbidden_patterns:
# These patterns should never appear in ANY configs
- "your-.*-key-here"
- "change-this-.*"
- "password="
- "secret_key="
- "api_secret="
production_forbidden_patterns:
# These patterns should never appear in PRODUCTION configs
- "localhost"
- "127.0.0.1"
- "sqlite://"
- "debug.*true"
validation_rules:
# Minimum security requirements
min_key_length: 32
require_complexity: true
no_default_values: true
no_localhost_in_prod: true
# Database security
require_ssl_database: true
forbid_sqlite_in_prod: true
# API security
require_https_urls: true
validate_api_key_format: true
Reference in New Issue View Git Blame Copy Permalink