Skip to content

Security Quick Reference

Fast reference for common security tasks.

🚀 Quick Commands

bash
# Before publishing - run security check
npm run security:check

# Scan entire project
npm run security:scan

# Scan with verbose output
npm run security:scan:verbose

# Scan specific pet
bun scripts/security-scan.ts --dir pets/maps

# Strict mode - fail on any issue
npm run security:check:all

✅ Pre-Publish Checklist

bash
# 1. Security scan
npm run security:check

# 2. Dependency audit
npm audit

# 3. Dry-run publish
cd pets/maps
npm publish --dry-run

# 4. Verify package contents
npm pack
tar -tzf @openpets/maps-1.0.7.tgz

# 5. Publish with provenance
npm publish --access public --provenance

🔴 Critical Issues to Avoid

Never commit:

  • .env files
  • API keys (AIza..., sk-..., etc.)
  • Private keys (*.pem, *.key)
  • Credentials (credentials.json)
  • Tokens (ghp_..., npm_...)

Always:

  • Use environment variables
  • Add secrets to .gitignore
  • Run security scan before publish
  • Use --provenance flag
  • Enable 2FA on npm account

🛠️ NPM Security Setup

Enable 2FA

bash
npm profile enable-2fa auth-and-writes

Create Granular Token

bash
npm token create \
  --scope=@openpets \
  --description="GitHub Actions" \
  --expires=365d

Verify Token

bash
npm whoami
npm token list

🚨 If Secret Was Exposed

Immediate actions:

bash
# 1. Rotate the secret immediately
# Generate new API key from provider

# 2. Unpublish if within 72 hours
npm unpublish openpets@1.0.x

# 3. Or deprecate if past 72 hours
npm deprecate openpets@1.0.x "Security issue - upgrade required"

# 4. Fix and republish
npm version patch
npm run security:check
npm publish --provenance

📊 Regular Audits

bash
# Weekly
npm audit
npm run security:scan

# Monthly
npm outdated
npm token list  # Check token expiration

# Before each publish
npm run security:check
npm publish --dry-run