Skip to content

Content: Password Management for #8#27

Open
JosephTLucas wants to merge 11 commits into
mainfrom
passwords
Open

Content: Password Management for #8#27
JosephTLucas wants to merge 11 commits into
mainfrom
passwords

Conversation

@JosephTLucas

Copy link
Copy Markdown
Collaborator

Closes #8

@JosephTLucas JosephTLucas self-assigned this Feb 26, 2025

@agriyakhetarpal agriyakhetarpal left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @JosephTLucas! I feel we should also leave a link to Scientific Python's SPEC 6 – Keys to the Castle here, as a part of it also addresses a similar topic. What do you think?

Comment thread bestpractices/content/passwords.md
Comment thread bestpractices/content/passwords.md Outdated
Comment thread bestpractices/content/passwords.md Outdated
Comment thread bestpractices/content/passwords.md Outdated

## Best Practices for Secret Handling

1. **Never store passwords or tokens directly in your repository.** Use something like GitHub Secrets to manage your secrets during CI/CD.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. **Never store passwords or tokens directly in your repository.** Use something like GitHub Secrets to manage your secrets during CI/CD.
1. **Never store passwords or tokens directly in your repository.** Use secrets on GitHub or similar tooling to manage your secrets during CI/CD.

"GitHub Secrets" makes me feel as if it's an official product/service offered by GitHub to manage secrets, and it doesn't show up as such on search engines, so it could be misleading – I'm curious to hear your thoughts.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I can clarify with "secrets in GitHub Actions"

Comment thread bestpractices/content/passwords.md Outdated
Comment on lines +48 to +49
Even with a password manager, mistakes can happen. You or a contributor might accidentally commit a password, API key, or other credentials to the repository. Fortunately, tools like [trufflehog](https://github.com/trufflesecurity/trufflehog) can help detect these secrets before they make their way into production or public repositories.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also mention that GitHub also has its secret scanning service, which is available for free for public repositories: https://docs.github.com/en/code-security/secret-scanning/enabling-secret-scanning-features (and paid for private repositories).

The last time I checked, it used to be enabled by default – I'm a bit surprised that's no longer the case (or I'm misremembering).

Comment thread bestpractices/content/passwords.md Outdated
Comment thread bestpractices/content/passwords.md Outdated
Comment thread bestpractices/content/passwords.md Outdated
Comment thread bestpractices/content/passwords.md Outdated
@JosephTLucas

Copy link
Copy Markdown
Collaborator Author

Thanks, @JosephTLucas! I feel we should also leave a link to Scientific Python's SPEC 6 – Keys to the Castle here, as a part of it also addresses a similar topic. What do you think?

Great idea. Do you have some specific context you want to add? If so, feel free to add it directly.

Great review by the way, thank you! I appreciate it.

JosephTLucas and others added 8 commits February 26, 2025 15:34
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
Co-authored-by: Agriya Khetarpal <74401230+agriyakhetarpal@users.noreply.github.com>
@agriyakhetarpal

Copy link
Copy Markdown
Member

I feel we should also leave a link to Scientific Python's SPEC 6 – Keys to the Castle here, as a part of it also addresses a similar topic. What do you think?

Great idea. Do you have some specific context you want to add? If so, feel free to add it directly.

Great review by the way, thank you! I appreciate it.

Thank you, the pleasure is all mine! I'll have to think about any additional context to include here, as that SPEC was geared more towards general security practice(s) of managing project-specific resources and not password management in specific. Maybe just a link to it in the conclusion would be alright as a resource for extra reading? I'll push a commit to add it.

@reshamas

reshamas commented Feb 27, 2025

Copy link
Copy Markdown
Member

Reminder for me: will add list of examples of accounts for password manager.

For example 1Password has an option for various "vaults", such as "social-media". This permits specific maintainers to access specific vaults.

@BARRYPMARSHALL

Copy link
Copy Markdown

Hi! I noticed you are looking for security scanning help.

I run FREE33 — a free-to-try microservices platform with 11 services including:

  • Code Review — 11 languages (Python, JS, TS, Go, Rust, Java, Ruby, PHP, C/C++), ruff + eslint
  • Security Scanning — secrets, API keys, SQLi, XSS, credential leakage
  • WASM Compiler, JSON Validator, Diff Engine, API Mocker, and more

All services offer free trials, no signup required. Micro-credit pricing starts at 0.0003 cr per call.

Live endpoint: https://ref-used-out-alliance.trycloudflare.com
GitHub repo: https://github.com/BARRYPMARSHALL/free33

Let me know if FREE33 can help — happy to walk you through integration!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add Password Management

4 participants