-
Notifications
You must be signed in to change notification settings - Fork 0
Security Checklist for FDS‐Dev
Flamehaven edited this page Dec 8, 2025
·
1 revision
- No hardcoded API keys, tokens, or passwords in code
- Environment variables used for sensitive config
-
.envfiles added to.gitignore - Run
pre-commit run --all-filesbefore committing - No large binary files committed
- Check for accidental secret exposure
- Validate input sanitization for user-provided data
- Verify external API calls use HTTPS
- Confirm error messages don't leak sensitive info
- Test edge cases and error handling
- All tests pass
- Linters (ruff, flake8) pass
- Coverage meets threshold (>=70%)
- No security vulnerabilities in dependencies (Dependabot)
- Secrets stored in GitHub Secrets (not in code)
- Version bumped in
pyproject.toml - CHANGELOG.md updated
- Security fixes documented (if any)
- Tag follows
vX.Y.Zpattern - GitHub Release notes include security warnings
- Require pull request reviews (min 1)
- Require status checks to pass
- Require branches to be up to date
- Require signed commits (recommended)
- Include administrators in restrictions
- Dependabot alerts enabled
- Dependabot security updates enabled
- Secret scanning enabled
- Code scanning (CodeQL) enabled
- Private vulnerability reporting enabled
-
PYPI_API_TOKENstored in Secrets - No plain-text secrets in repository
- Environment-specific secrets use Environments
- IMMEDIATELY rotate compromised credential
- Check git history:
git log -S "secret_string" - Remove from history if found:
# Option 1: git-filter-repo (recommended) git filter-repo --path-match 'file_with_secret' --invert-paths # Option 2: BFG Repo-Cleaner bfg --delete-files file_with_secret
- Force push (DANGEROUS - coordinate with team):
git push --force-with-lease
- Notify all collaborators
- Create security advisory if public exposure
- Acknowledge within 72 hours
- Triage severity (Critical/High/Medium/Low)
- Create private security advisory
- Develop and test fix
- Release patch version
- Publish advisory after fix deployed
- Data residency requirements met
- GDPR compliance (if handling EU data)
- HIPAA compliance (if handling health data)
- SOC 2 audit trail (if applicable)
- License compatibility verified
- Review Dependabot PRs
- Check security advisory dashboard
- Audit GitHub Actions logs
- Review access permissions
- Update security documentation
- Full dependency audit
- Security policy review
- Incident response drill (simulated)
Last Updated: 2025-11-20 Checklist Version: 1.0