Thanks for contributing to the Ops Scripts Toolkit.
- Keep this repository public-safe and generic.
- Do not add company-specific hostnames, account IDs, internal URLs, or private deployment details.
- Use environment variables, config files, and example templates instead of embedded secrets.
- Use
snake_casefilenames for all scripts. - Prefer action names for tasks (
verb_object.sh/verb_object.py). - Prefer audit/check names for diagnostics (
something_audit.sh,something_check.py).
- Start with:
#!/usr/bin/env bashset -euo pipefail
- Provide
usage/--helpoutput for non-trivial scripts. - Use clear exit codes:
0success- non-zero for warnings/failures/errors
- Avoid destructive defaults; add dry-run modes where practical.
- Use Python 3.
- Include
argparsehelp text for CLI scripts. - Keep dependencies minimal and documented.
- Handle errors with user-readable messages and non-zero exit codes.
- Never commit credentials, tokens, private keys, or passwords.
- Prefer AWS profiles/roles over static keys.
- Add
.examplefiles for environment/config templates. - If sensitive data was ever committed, rotate it immediately.
Run locally:
find . -type f -name "*.sh" -print0 | xargs -0 -n1 bash -n
python3 -m compileall -q .
pre-commit run --all-filesOptional CI-parity check:
./security_baseline_run.sh \
--dry-run \
--non-strict \
--no-sudo \
--only-group network \
--output-json \
--json-compact \
--json-file ./artifacts/security/summary.json \
--quiet- Keep changes focused and minimal.
- Update
README.mdwhen adding/removing scripts or changing behavior. - Include examples for new scripts when useful.
- If you run CI manually, ensure it passes before requesting review.