Skip to content

Commit 935086e

Browse files
committed
docs(copilot): add secrets policy, PR checklist, and SSL guidance
1 parent bbfcdff commit 935086e

1 file changed

Lines changed: 50 additions & 8 deletions

File tree

.github/copilot-instructions.md

Lines changed: 50 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -62,20 +62,62 @@ source .venv/bin/activate # On Windows: .venv\Scripts\activate
6262
# Install dependencies
6363
pip install -r requirements.txt
6464

65-
# Configure environment
65+
# Configure environment (SECURE)
6666
cp .env.example .env
67-
# Edit .env with credentials
67+
# Create a local `.env` from `.env.example` for development only. Do NOT commit real credentials.
68+
# For production or CI, set secrets using the platform's secret manager (GitHub Secrets, AWS Secrets Manager, Azure Key Vault, etc.)
69+
# Never embed API credentials, tokens, or passwords in code, config files checked into source control, or documentation examples.
6870
```
6971

70-
### Required Environment Variables
72+
### Required Environment Variables (DO NOT HARD-CODE SECRETS)
7173

72-
```bash
73-
INSIGHTVM_API_USERNAME=your_username
74-
INSIGHTVM_API_PASSWORD=your_password
75-
INSIGHTVM_BASE_URL=https://your-console:3780
76-
INSIGHTVM_VERIFY_SSL=false # For self-signed certificates
74+
Provide the following configuration via environment variables or a secret manager. Examples in documentation should show how to reference these variables (e.g. `os.getenv(...)`) but must never include real credential values.
75+
76+
- `INSIGHTVM_API_USERNAME` — InsightVM API username (string); supply via environment or secret manager.
77+
- `INSIGHTVM_API_PASSWORD` — InsightVM API password (secret); store in a secret manager and reference via env var in CI. Never commit this value.
78+
- `INSIGHTVM_BASE_URL` — Full console base URL (include scheme and port), e.g. `https://console.example:3780`.
79+
- `INSIGHTVM_VERIFY_SSL` — Optional boolean; default `true`. Set to `false` only in trusted development/testing environments when using self-signed certificates.
80+
81+
Best practice: Use CI secrets or an external secret manager for production systems and avoid committing `.env` files to the repository.
82+
83+
Secrets Policy (short):
84+
- Never include actual API keys, passwords, tokens, or private keys in source code, documentation, or examples.
85+
- When examples require secrets, use placeholders like `<INSIGHTVM_API_PASSWORD>` or show reading from env vars only.
86+
- Add secret-scanning in CI and pre-commit hooks. Recommended tools: gitleaks, detect-secrets. (Guidance only — do not add secret values here.)
87+
88+
## PR & Commit Checklist (recommended)
89+
90+
Before opening a pull request, ensure:
91+
92+
- No secrets or hardcoded credentials are introduced in the diff.
93+
- Code formatting and static checks pass (black, flake8, mypy).
94+
- Tests cover new functionality; tests use mocks/fixtures for external API calls.
95+
- Documentation and migration notes updated for any public API or behavior changes.
96+
- Add a short security note in the PR description when changes touch auth, secrets, or SSL handling.
97+
98+
## Examples & Tests (no secrets)
99+
100+
- Example code should demonstrate how to read configuration from environment variables, e.g.:
101+
102+
```python
103+
import os
104+
105+
username = os.getenv("INSIGHTVM_API_USERNAME")
106+
password = os.getenv("INSIGHTVM_API_PASSWORD")
107+
base_url = os.getenv("INSIGHTVM_BASE_URL")
77108
```
78109

110+
- Integration or example scripts that require real credentials should never be committed. Tests should use `tests/conftest.py` fixtures and mocked API responses instead of real endpoints.
111+
112+
## API Naming & Compatibility Guidance
113+
114+
- Avoid introducing method names that conflict with `BaseAPI` (for example, do not add `get`, `update`, or `delete` methods to subclasses if those signatures would shadow incompatible parent methods).
115+
- For the Scan Engines client prefer explicit method names such as `get_engine`, `update_engine`, and `delete_engine` to avoid inheritance conflicts. When renaming public methods, include a deprecation wrapper and add a migration note in `MIGRATION.md` and the module's docs.
116+
117+
## SSL Verification Guidance
118+
119+
- Default `INSIGHTVM_VERIFY_SSL` to `true`. Disabling SSL verification (`false`) is allowed only in trusted development or test environments with self-signed certificates and must be documented. Clearly warn users in docs about the security implications of disabling certificate verification.
120+
79121
## Coding Standards
80122

81123
### Python Style Guide

0 commit comments

Comments
 (0)