The following environment variables must be set for secure operation:
# Firebase Configuration
export FIREBASE_API_KEY="your-firebase-api-key"
export FIREBASE_PROJECT_ID="kodrixide"
# GitHub OAuth
export GITHUB_OAUTH_CLIENT_ID="your-client-id"
export GITHUB_OAUTH_CLIENT_SECRET="your-client-secret"
# Git Credentials
export KODRIX_GH_USER="your-github-username"
export KODRIX_GH_TOKEN="your-github-personal-access-token"- API keys, tokens, or secrets
- Private keys or certificates
- Credentials in any form
.envor.env.localfiles
- Use
.env.local(git-ignored) for local development - Use secure credential managers (1Password, LastPass, etc.)
- Rotate tokens regularly
- Use read-only tokens when possible
- Never paste credentials in logs or error messages
- Use GitHub Secrets for sensitive data
- Use organization-level secrets for shared credentials
- Rotate secrets quarterly
- Audit secret access logs
Please do NOT open public issues for security vulnerabilities. Instead:
- Email: security@kodrix.local (if available)
- Use GitHub's private vulnerability reporting
- Include: Description, severity, reproduction steps, impact
- Rotate API keys every 90 days
- Use separate keys for development and production
- Monitor usage in Firebase Console
- Revoke compromised tokens immediately
- Use GitHub token expiration settings
- Maintain audit logs of token usage
- Use fine-grained personal access tokens
- Limit scopes to necessary permissions only
- Set expiration dates (max 1 year)
- Rotate on each major version release
This repository uses automated scanning:
- Dependency scanning (npm, gradle, etc.)
- Secret detection (pre-commit hooks)
- SAST (Static Application Security Testing)