Skip to content

Docs/incident response runbook #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
utksh1 merged 11 commits into from
May 31, 2026
Merged

Docs/incident response runbook #317

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
5e4d4a1
fix: add missing quote and backslash chars to sanitize_input to preve…
Midoriya-w May 26, 2026
a38a0bd
docs: add incident response runbook for leaked vault keys and comprom…
Midoriya-w May 26, 2026
ff8e0f7
revert: remove unrelated validation.py change from docs PR
Midoriya-w May 28, 2026
c829d1d
docs: replace non-existent commands with factual repo-supported comma…
Midoriya-w May 28, 2026
77de8df
Merge branch 'main' into docs/incident-response-runbook
Midoriya-w May 29, 2026
01d62e9
docs: fix invalid plugin references
Midoriya-w May 31, 2026
fe7763b
Merge branch 'main' into docs/incident-response-runbook
Midoriya-w May 31, 2026
a07b15a
docs: correct runbook repository paths
Midoriya-w May 31, 2026
60a6983
docs: correct runbook repository paths
Midoriya-w May 31, 2026
5c95db8
docs: tighten incident response runbook commands
utksh1 May 31, 2026
97e8a82
Merge remote-tracking branch 'origin/main' into docs/incident-respons…
utksh1 May 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions docs/incident-response-runbook.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Incident Response Runbook β€” SecuScan

## 1. Leaked Vault Keys

### Detection

- Check logs for unauthorized access: `grep "vault" logs/secuscan.log`
- Review audit trail in `backend/secuscan/vault.py` for key usage

### Response Steps

1. **Immediately rotate** the compromised key β€” set a new `SECUSCAN_VAULT_KEY` in your `.env` file
2. **Re-encrypt** stored credentials β€” delete and re-add all vault entries using the new key
3. **Invalidate** all active sessions by restarting the backend service
4. **Audit** which reports and scans ran during the exposure window
5. **Notify** affected users if credentials were accessed

### Verification

```bash
# Confirm vault config is loaded correctly
grep "SECUSCAN_VAULT_KEY" .env

# Confirm backend starts without vault errors
python -m uvicorn backend.secuscan.main:app --reload

# Run vault-related tests
pytest testing/backend/unit -k "vault" -v
```

## 2. Compromised Plugins

### Detection

- Review plugin execution logs for anomalous behavior
- Check files in `plugins/` for unexpected changes

### Response Steps

1. **Isolate** β€” remove or rename the compromised plugin file immediately
2. **Preserve logs** before any cleanup: `cp logs/secuscan.log logs/secuscan.log.bak`
3. **Audit** all scans that used the compromised plugin via scan history
4. **Restore** plugin from last known clean git commit

### Verification

```bash
# List plugin files
ls plugins/

# Disable compromised plugin by moving its directory out of the active plugin tree
mv plugins/<plugin-name> plugins/<plugin-name>.disabled

# Restore clean plugin from git
git checkout main -- plugins/<plugin-name>

# Run plugin tests
pytest testing/backend/unit -k "plugin" -v
```

## 3. Restoring Clean State

1. Stop all running scans
2. Rotate all credentials in `.env`
3. Re-validate plugin files: `git diff main -- plugins/`
4. Run full test suite: `pytest testing/backend/unit`
5. Confirm system health before resuming operations
Loading