Security Best Practices¶

This guide outlines security best practices when using aider-lint-fixer in development and production environments.

Code Security¶

Secure Coding Practices¶

Input Validation
Validate all external inputs
Sanitize file paths and names
Check file permissions before processing
Error Handling
Don't expose sensitive information in error messages
Log security events appropriately
Implement proper exception handling

Static Analysis Security¶

# Run security-focused linters
python -m aider_lint_fixer --enable-security-checks

# Use bandit for security analysis
pip install bandit
bandit -r aider_lint_fixer/

API Key Security¶

Environment Variables¶

# Never commit API keys to repository
export OPENAI_API_KEY=your_key_here
export ANTHROPIC_API_KEY=your_key_here

# Use .env files (add to .gitignore)
echo "OPENAI_API_KEY=your_key" >> .env
echo ".env" >> .gitignore

Key Rotation¶

# Regularly rotate API keys
# Update environment variables
# Test key validity
python -c "import openai; print('Key valid')"

File System Security¶

Secure File Handling¶

Path Traversal Prevention

import os.path

# Validate paths
safe_path = os.path.abspath(user_path)
if not safe_path.startswith(allowed_directory):
    raise SecurityError("Path traversal attempt")

File Permissions

# Set restrictive permissions
chmod 600 config/secrets.yml
chmod 755 scripts/

Temporary Files¶

import tempfile
import os

# Use secure temporary files
with tempfile.NamedTemporaryFile(delete=True) as tmp:
    # Process file securely
    pass

Network Security¶

HTTPS Usage¶

# Always use HTTPS for API calls
api_base = "https://api.openai.com/v1"
# Never: http://api.openai.com/v1

Certificate Validation¶

import requests

# Enable SSL verification
response = requests.get(url, verify=True)

Container Security¶

Docker Security¶

# Use non-root user
FROM python:3.11-slim
RUN adduser --disabled-password --gecos '' appuser
USER appuser

# Minimal base image
FROM python:3.11-alpine

# Security scanning
RUN apk add --no-cache security-scanner

Container Scanning¶

# Scan for vulnerabilities
docker scan aider-lint-fixer:latest

# Use security-focused base images
FROM gcr.io/distroless/python3

CI/CD Security¶

GitHub Actions Security¶

name: Secure CI
on: [push, pull_request]
jobs:
  security-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Security Scan
        uses: securecodewarrior/github-action-add-sarif@v1

      - name: Secret Scanning
        run: |
          pip install detect-secrets
          detect-secrets scan --all-files

Secret Management¶

# Use GitHub Secrets
env:
  API_KEY: ${{ secrets.OPENAI_API_KEY }}

# Mask sensitive values
run: |
  echo "::add-mask::$API_KEY"

Dependency Security¶

Vulnerability Scanning¶

# Scan dependencies
pip install safety
safety check

# Check for known vulnerabilities
pip-audit

Dependency Pinning¶

# requirements.txt - pin versions
requests==2.28.1
pydantic==1.10.2
click==8.1.3

Regular Updates¶

# Update dependencies regularly
pip list --outdated
pip install --upgrade package_name

# Use dependabot for automated updates

Configuration Security¶

Secure Configuration¶

# config/security.yml
security:
  enable_audit_logging: true
  max_file_size: 10MB
  allowed_extensions: ['.py', '.js', '.ts']
  blocked_patterns:
    - '*.secret'
    - '*.key'

Environment-Specific Settings¶

# Different configs for different environments
if os.getenv('ENV') == 'production':
    DEBUG = False
    ALLOWED_HOSTS = ['your-domain.com']
else:
    DEBUG = True
    ALLOWED_HOSTS = ['localhost', '127.0.0.1']

Monitoring and Auditing¶

Security Logging¶

import logging

# Security event logging
security_logger = logging.getLogger('security')
security_logger.info(f"User {user} accessed {resource}")

Audit Trails¶

# Enable audit logging
export AUDIT_LOG_ENABLED=true
export AUDIT_LOG_LEVEL=INFO

Incident Response¶

Security Incident Plan¶

Detection: Monitor for security events
Containment: Isolate affected systems
Eradication: Remove threats
Recovery: Restore normal operations
Lessons Learned: Document and improve

Emergency Procedures¶

# Revoke compromised keys immediately
# Rotate all credentials
# Review access logs
# Update security measures

Security Best Practices¶

Code Security¶

Secure Coding Practices¶

Static Analysis Security¶

API Key Security¶

Environment Variables¶

Key Rotation¶

File System Security¶

Secure File Handling¶

Temporary Files¶

Network Security¶

HTTPS Usage¶

Certificate Validation¶

Container Security¶

Docker Security¶

Container Scanning¶

CI/CD Security¶

GitHub Actions Security¶

Secret Management¶

Dependency Security¶

Vulnerability Scanning¶

Dependency Pinning¶

Regular Updates¶

Configuration Security¶

Secure Configuration¶

Environment-Specific Settings¶

Monitoring and Auditing¶

Security Logging¶

Audit Trails¶

Incident Response¶

Security Incident Plan¶

Emergency Procedures¶

Compliance¶

Data Protection¶

Security Standards¶

Regular Security Tasks¶

Weekly¶

Monthly¶

Quarterly¶

Next Steps¶