Secrets guidelines

[MarkoSagadin]

Context

"Secrets" is an umbrella term for various confidential documents/files, such as:

• WiFi passwords
• Login credentials
• Bootloader keys
• SSh keys
• etc.

Currently we lack clear guidelines that would tell developers how to handle such secrets in their repositories.

The purpose of this issue is to provide place for discussion about this topic and to define a set of clear guidelines on how to handle secrets.

Required steps / Implementation details

• Research existing good practices related to handling confidential information.
• Write down a clear list of rules what is not allowed to be checked into the git and what should be handled elsewhere.
• Provide enough info and resources so that developers will have enough knowledge to recognize the possibly problematic security situation and seek help.

Definition of Done

Section in guidelines is written and reviewed.

[TjazVracko]

We need both RULES and technical solutions.

For example, mcuboot signing keys are currently committed to various repos. Having them in github secrets might be doable, but it is not clear how.

[vid553]

I think these guidelines should also include the following info:

• how to check an existing project for any sensitive information and update / fix it
• how to proceed in a security incident event (leaked secret, hacked account, etc)

Also, Github offers various tools for automated checking and preventing exposing secrets in repos. We should consider using some of those features: https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security

[KajbaM]

Absolute must: pre-commit like system/hooks that checks for sensitive information before commit reaches git.

[MarkoSagadin]

Plus one for to all above comments.

Absolute must: pre-commit like system/hooks that checks for sensitive information before commit reaches git.

We already have detect-private-key hook that does help a bit with that. I can research what are some other hooks that belong into security category.