If you discover a security vulnerability in this repository, please do not open a public issue. Instead:

1. Email security concerns to the repository maintainers
2. Provide a detailed description of the vulnerability
3. Include steps to reproduce (if applicable)
4. Allow 90 days for a fix before public disclosure

This repository uses SSH authentication to prevent credential exposure in git configuration.

# Set up SSH key (one-time setup)
ssh-keygen -t ed25519 -C "your_email@example.com"

# Add public key to GitHub: https://github.com/settings/keys
cat ~/.ssh/id_ed25519.pub

# Clone using SSH
git clone git@github.com:nagual2/font_sharpener.git

# If already cloned with HTTPS, switch to SSH
git remote set-url origin git@github.com:nagual2/font_sharpener.git

Do NOT embed Personal Access Tokens in git URLs like:

# NEVER DO THIS
git clone https://username:TOKEN@github.com/user/repo.git

Before committing, verify no secrets are included:

# Check staged changes for secrets
git diff --cached | grep -iE "password|token|api.?key|secret|credential"

# Or use gitleaks (if installed)
gitleaks detect --staged

To enable automatic secret scanning before commits:

# Install pre-commit
pip install pre-commit

# Install hooks
pre-commit install

# (Optional) Run manually
pre-commit run --all-files

Store configuration and sensitive data in environment variables, not in code:

# Good: Use environment variables
$env:MY_API_KEY = "secret"
# In script: $apiKey = [System.Environment]::GetEnvironmentVariable("MY_API_KEY")

# Bad: Hardcode in script
$apiKey = "secret123"  # Never do this

Before creating a pull request, ensure:

• No passwords or tokens are included
• No API keys are hardcoded
• No private keys or certificates are committed
• No PII (emails, phone numbers) is exposed
• No internal URLs or IP addresses are leaked
• All external services use environment variables or secure methods
• Comments don't contain sensitive information

This repository has the following security settings:

1. Branch Protection: Main branch requires pull request reviews
2. Automatic Dependency Updates: Enabled via Dependabot
3. Secret Scanning: Recommended for all repositories
4. Code Scanning: Use GitHub Actions for SAST

Security audits are recommended quarterly or after significant changes:

# Run security audit
gitleaks detect --verbose
ripgrep --type-add 'ps1:*.ps1' -i "password|token|secret" .

This script has minimal dependencies (Windows PowerShell 5.0+) and does not import external packages, reducing attack surface.

Check for dependency vulnerabilities:

• GitHub's built-in vulnerability scanning
• Manual reviews of any added dependencies
• Security advisories for PowerShell modules (if any are added)

This repository follows:

• GitHub Security Best Practices: https://docs.github.com/en/code-security
• CWE/SANS Top 25: Focus on A02:2021 Cryptographic Failures
• OWASP Top 10: Credential exposure prevention

• GitHub Security Documentation
• OWASP Credential Management Cheat Sheet
• CWE-798: Use of Hard-Coded Credentials
• GitHub Token Security

Last Updated: 2024-11-07