- NEVER commit secrets to git - This includes API keys, tokens, passwords
- Use environment variables - Load secrets from environment at runtime
- Use GitHub Secrets - For CI/CD pipeline secrets
- Rotate compromised secrets - If a secret is exposed, rotate it immediately
The .env file is gitignored and should NEVER be committed.
Required for development:
TELEGRAM_BOT_TOKEN- Telegram bot token for notifications (optional)
Setup:
# Copy template
cp .env.example .env
# Edit with your values
nano .env
# Load in your shell
source .env # or export TELEGRAM_BOT_TOKEN="your_token_here"GitHub Secrets (used in CI/CD):
- None currently needed for this CLI tool
To add secrets:
- Go to: https://github.com/fall-out-bug/sdp/settings/secrets/actions
- Click: "New repository secret"
- Name:
TELEGRAM_BOT_TOKEN(or appropriate) - Value: Your secret value
- Enable: "Required for workflow"
If a secret is exposed (committed, leaked, etc.):
-
Immediately rotate the secret
# Telegram bot token # 1. Message @BotFather on Telegram # 2: Select your bot → Revoke old token # 3. Generate new token # 4. Update .env locally
-
Verify it's not in git history
git log --all --full-history -- .env # Should return: "No history found" -
If it WAS committed:
# Remove from all commits git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch .env" # Force push git push origin --force --all
✅ SAFE - .env is gitignored and not in git history
.env.example provided for setup
- Never commit
.env- It's in.gitignore - Use
.env.example- Template for required variables - Document secrets - Keep this SECURITY.md up to date
- Review regularly - Audit git log for accidental commits
- Use
.env.local- For local overrides (also gitignored)
Check for exposed secrets:
# Search git history for sensitive patterns
git log --all --oneline -S | grep -i "token\|secret\|password\|api[_-]key"
# Search all tracked files for secrets
grep -r "TELEGRAM_BOT_TOKEN\|password\|secret" --include="*.go" --exclude-dir=vendorLast Updated: 2026-02-07
Version: 1.0