Skip to content

Commit 7e90567

Browse files
prsh5175prsh5175
committed
Security: Protect EC3 API key from exposure in window_enhancement measure
- Remove hardcoded API key from config.ini (replace with placeholder) - Add config.ini to .gitignore (already present) - Create config.ini.template with setup instructions - Add environment variable fallback (EC3_API_TOKEN env var) in apply_measure.py - Priority: env var > config.ini > error with guidance - Detects placeholder values and rejects them - Update measure.py API token argument with security warnings - Advise users to use env vars for CI/CD instead of raw tokens - Create SECURITY.md documenting API key management best practices - Local dev vs CI/CD workflows - GitHub Actions secret configuration - Credential rotation procedures - Code review checklist This ensures API keys are never accidentally committed and provides clear guidance for secure usage across local, CI/CD, and production environments.
1 parent 7dcea63 commit 7e90567

4 files changed

Lines changed: 479 additions & 145 deletions

File tree

SECURITY.md

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
# Security Guidelines for API Keys
2+
3+
## Overview
4+
This project requires EC3 and RSMeans API keys to function. It's critical to prevent accidental exposure of these credentials in version control or logs.
5+
6+
## API Key Management
7+
8+
### EC3 API Token
9+
- **Source**: https://buildingtransparency.org
10+
- **Handling**:
11+
- Store in `config.ini` (local development only - file is .gitignored)
12+
- Use environment variable `EC3_API_TOKEN` for CI/CD and production
13+
- Never commit real tokens to version control
14+
15+
### RSMeans API Key
16+
- **Handling**:
17+
- Pass as measure argument (measure.py) - not stored in files
18+
- Use environment variable `RSMEANS_API_KEY` for CI/CD
19+
- Never hardcode in source files
20+
21+
## Setup Instructions
22+
23+
### Local Development
24+
1. Copy the template: `cp config.ini.template config.ini`
25+
2. Edit `config.ini` and add your real EC3 API token
26+
3. Never commit `config.ini` to version control (it's in .gitignore)
27+
28+
### CI/CD and Production
29+
Use environment variables instead of config files:
30+
31+
```bash
32+
# Set before running measures
33+
export EC3_API_TOKEN="your_token_here"
34+
export RSMEANS_API_KEY="your_key_here"
35+
36+
# Or inline
37+
EC3_API_TOKEN="token" python apply_measure.py
38+
```
39+
40+
### Using with GitHub Actions
41+
```yaml
42+
env:
43+
EC3_API_TOKEN: ${{ secrets.EC3_API_TOKEN }}
44+
RSMEANS_API_KEY: ${{ secrets.RSMEANS_API_KEY }}
45+
```
46+
47+
## .gitignore Configuration
48+
The following sensitive files are already excluded:
49+
- `config.ini` - Local configuration with API tokens
50+
- `.env` - Environment variable files
51+
- `.secrets` - Secret files
52+
- Workflow files with API keys
53+
54+
Verify these entries in `.gitignore`:
55+
```
56+
config.ini
57+
.env
58+
.env.*
59+
.secrets
60+
lib/measures/workflow_with_reporting.osw
61+
```
62+
63+
## Checking for Exposed Credentials
64+
65+
### Before committing:
66+
```bash
67+
# Check for any patterns matching API keys
68+
git diff HEAD -- | grep -i "api_key\|token\|secret"
69+
```
70+
71+
### If credentials are accidentally committed:
72+
1. **Immediately rotate the credentials** - they are now exposed in Git history
73+
2. Create a new commit that removes the sensitive data (use `git filter-branch` or `BFG Repo Cleaner`)
74+
3. Force push to remove from history
75+
4. Notify your team and update all consumers of the exposed credentials
76+
77+
## Code Review Checklist
78+
- [ ] No hardcoded API keys in `.py`, `.rb`, or `.json` files
79+
- [ ] No sensitive data in default values of measure arguments
80+
- [ ] Config files with templates included but not actual tokens
81+
- [ ] Environment variable fallbacks implemented where applicable
82+
- [ ] .gitignore properly covers all config and secrets files
83+
84+
## Environment Variable Fallback Support
85+
86+
The following components support environment variables:
87+
88+
- **apply_measure.py**: Reads `EC3_API_TOKEN` if `config.ini` is not available
89+
- **measure.py**: Accepts API token as measure argument (passed at runtime)
90+
- **Resources**: EC3_lookup.py and call_rsmeans_api.py accept tokens as function parameters
91+
92+
This allows flexibility:
93+
1. Local dev: Use `config.ini`
94+
2. CI/CD: Use environment variables
95+
3. Docker/containers: Use mounted secrets or env vars
96+
97+
## References
98+
- [OWASP: Secrets Management](https://owasp.org/www-community/Secrets_Management)
99+
- [GitHub: Removing sensitive data from history](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)
100+
- [EC3 BuildingTransparency API](https://buildingtransparency.org)

config.ini.template

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
[EC3_API_TOKEN]
2+
# Get your EC3 API token from https://buildingtransparency.org
3+
# Instructions:
4+
# 1. Create an account at https://buildingtransparency.org
5+
# 2. Go to your account settings and generate an API token
6+
# 3. Copy the token and paste it below (replacing "your_ec3_api_token_here")
7+
#
8+
# SECURITY WARNING: Never commit this file with a real token to version control.
9+
# This file is listed in .gitignore to prevent accidental commits.
10+
# For CI/CD or production environments, use environment variables instead.
11+
#
12+
API_TOKEN=your_ec3_api_token_here

0 commit comments

Comments
 (0)