You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/copilot-instructions.md
+50-8Lines changed: 50 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -62,20 +62,62 @@ source .venv/bin/activate # On Windows: .venv\Scripts\activate
62
62
# Install dependencies
63
63
pip install -r requirements.txt
64
64
65
-
# Configure environment
65
+
# Configure environment (SECURE)
66
66
cp .env.example .env
67
-
# Edit .env with credentials
67
+
# Create a local `.env` from `.env.example` for development only. Do NOT commit real credentials.
68
+
# For production or CI, set secrets using the platform's secret manager (GitHub Secrets, AWS Secrets Manager, Azure Key Vault, etc.)
69
+
# Never embed API credentials, tokens, or passwords in code, config files checked into source control, or documentation examples.
68
70
```
69
71
70
-
### Required Environment Variables
72
+
### Required Environment Variables (DO NOT HARD-CODE SECRETS)
71
73
72
-
```bash
73
-
INSIGHTVM_API_USERNAME=your_username
74
-
INSIGHTVM_API_PASSWORD=your_password
75
-
INSIGHTVM_BASE_URL=https://your-console:3780
76
-
INSIGHTVM_VERIFY_SSL=false # For self-signed certificates
74
+
Provide the following configuration via environment variables or a secret manager. Examples in documentation should show how to reference these variables (e.g. `os.getenv(...)`) but must never include real credential values.
75
+
76
+
-`INSIGHTVM_API_USERNAME` — InsightVM API username (string); supply via environment or secret manager.
77
+
-`INSIGHTVM_API_PASSWORD` — InsightVM API password (secret); store in a secret manager and reference via env var in CI. Never commit this value.
78
+
-`INSIGHTVM_BASE_URL` — Full console base URL (include scheme and port), e.g. `https://console.example:3780`.
79
+
-`INSIGHTVM_VERIFY_SSL` — Optional boolean; default `true`. Set to `false` only in trusted development/testing environments when using self-signed certificates.
80
+
81
+
Best practice: Use CI secrets or an external secret manager for production systems and avoid committing `.env` files to the repository.
82
+
83
+
Secrets Policy (short):
84
+
- Never include actual API keys, passwords, tokens, or private keys in source code, documentation, or examples.
85
+
- When examples require secrets, use placeholders like `<INSIGHTVM_API_PASSWORD>` or show reading from env vars only.
86
+
- Add secret-scanning in CI and pre-commit hooks. Recommended tools: gitleaks, detect-secrets. (Guidance only — do not add secret values here.)
87
+
88
+
## PR & Commit Checklist (recommended)
89
+
90
+
Before opening a pull request, ensure:
91
+
92
+
- No secrets or hardcoded credentials are introduced in the diff.
93
+
- Code formatting and static checks pass (black, flake8, mypy).
94
+
- Tests cover new functionality; tests use mocks/fixtures for external API calls.
95
+
- Documentation and migration notes updated for any public API or behavior changes.
96
+
- Add a short security note in the PR description when changes touch auth, secrets, or SSL handling.
97
+
98
+
## Examples & Tests (no secrets)
99
+
100
+
- Example code should demonstrate how to read configuration from environment variables, e.g.:
101
+
102
+
```python
103
+
import os
104
+
105
+
username = os.getenv("INSIGHTVM_API_USERNAME")
106
+
password = os.getenv("INSIGHTVM_API_PASSWORD")
107
+
base_url = os.getenv("INSIGHTVM_BASE_URL")
77
108
```
78
109
110
+
- Integration or example scripts that require real credentials should never be committed. Tests should use `tests/conftest.py` fixtures and mocked API responses instead of real endpoints.
111
+
112
+
## API Naming & Compatibility Guidance
113
+
114
+
- Avoid introducing method names that conflict with `BaseAPI` (for example, do not add `get`, `update`, or `delete` methods to subclasses if those signatures would shadow incompatible parent methods).
115
+
- For the Scan Engines client prefer explicit method names such as `get_engine`, `update_engine`, and `delete_engine` to avoid inheritance conflicts. When renaming public methods, include a deprecation wrapper and add a migration note in `MIGRATION.md` and the module's docs.
116
+
117
+
## SSL Verification Guidance
118
+
119
+
- Default `INSIGHTVM_VERIFY_SSL` to `true`. Disabling SSL verification (`false`) is allowed only in trusted development or test environments with self-signed certificates and must be documented. Clearly warn users in docs about the security implications of disabling certificate verification.
0 commit comments