Skip to content

security: pre-go-live repo visibility review checklist #53

Description

@wcmchenry3-stack

Purpose

Before any app goes live, each repo should pass this checklist.

Per-repo checklist

  • No hardcoded secrets or credentials anywhere (run gitleaks on full history)
  • All secrets in GitHub Actions secrets — never in code
  • `RENDER_API_KEY` rotated if it ever touched a workflow file, commit, or log
  • ZAP baseline scan green on live URL
  • Branch protection enabled on `main` (require PR + green CI, no force push)
  • Decide public vs private — if private, confirm Actions minutes budget
  • `SECURITY.md` present (org-inherited or repo-level copy)
  • PR template present

Org-level checklist (do once)

  • Enable secret scanning + push protection (GitHub → Org Settings → Code security)
  • Review all fine-grained PATs — confirm minimum required scopes
  • Confirm Cloudflare worker PAT has only `issues: write` on `.github`, nothing else

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issues and improvements

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions