Skip to content

Security: Dashtid/sysadmin-toolkit

Security

SECURITY.md

Security Policy

Reporting Vulnerabilities

Do not create public GitHub issues for security vulnerabilities.

Report via email to maintainer (available on GitHub profile):

  • Description of vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

Response timeline:

Severity Response Fix
Critical 48 hours 7 days
High 48 hours 14 days
Medium 7 days 30 days
Low 7 days Next release

Supported Versions

Version Supported
Latest (main) Yes
< 2.0 No

Security Scanning

This repository uses:

  • GitHub Secret Scanning
  • Pre-commit hooks for local validation
  • GitHub Actions for CI security checks

Never Commit

Type Examples
Credentials Passwords, API keys, tokens
Keys SSH private keys, certificates (.pem, .pfx, .key)
Connection strings Database URLs with credentials
Real IPs Use RFC 5737: 192.0.2.x, 198.51.100.x, 203.0.113.x
Personal data Names, emails, company information

Best Practices

Practice Implementation
Parameters No hardcoded values in scripts
Templates Use .example files for configs
Environment Use .env.local (gitignored)
Validation Sanitize all user input
Review Check git diff before commit

If Secrets Are Exposed

  1. Immediately rotate/revoke the credential
  2. Remove from Git history: 
    git filter-repo --path path/to/secret --invert-paths
git push origin --force --all
  3. Notify collaborators to re-clone (not pull)

Security Tools

Resources

Last Updated: 2025-12-26 | Contact: @dashtid

There aren’t any published security advisories