Security Quick Reference
Fast reference for common security tasks.
🚀 Quick Commands
bash
# Before publishing - run security check
npm run security:check
# Scan entire project
npm run security:scan
# Scan with verbose output
npm run security:scan:verbose
# Scan specific pet
bun scripts/security-scan.ts --dir pets/maps
# Strict mode - fail on any issue
npm run security:check:all✅ Pre-Publish Checklist
bash
# 1. Security scan
npm run security:check
# 2. Dependency audit
npm audit
# 3. Dry-run publish
cd pets/maps
npm publish --dry-run
# 4. Verify package contents
npm pack
tar -tzf @openpets/maps-1.0.7.tgz
# 5. Publish with provenance
npm publish --access public --provenance🔴 Critical Issues to Avoid
Never commit:
.envfiles- API keys (
AIza...,sk-..., etc.) - Private keys (
*.pem,*.key) - Credentials (
credentials.json) - Tokens (
ghp_...,npm_...)
Always:
- Use environment variables
- Add secrets to
.gitignore - Run security scan before publish
- Use
--provenanceflag - Enable 2FA on npm account
🛠️ NPM Security Setup
Enable 2FA
bash
npm profile enable-2fa auth-and-writesCreate Granular Token
bash
npm token create \
--scope=@openpets \
--description="GitHub Actions" \
--expires=365dVerify Token
bash
npm whoami
npm token list🚨 If Secret Was Exposed
Immediate actions:
bash
# 1. Rotate the secret immediately
# Generate new API key from provider
# 2. Unpublish if within 72 hours
npm unpublish openpets@1.0.x
# 3. Or deprecate if past 72 hours
npm deprecate openpets@1.0.x "Security issue - upgrade required"
# 4. Fix and republish
npm version patch
npm run security:check
npm publish --provenance📊 Regular Audits
bash
# Weekly
npm audit
npm run security:scan
# Monthly
npm outdated
npm token list # Check token expiration
# Before each publish
npm run security:check
npm publish --dry-run