docs: add secure credential practices guide#24
docs: add secure credential practices guide#24stevefulme1 wants to merge 1 commit intoredhat-cop:mainfrom
Conversation
Developer-facing guide covering golden rules for credential handling, tooling enforcement (Gitleaks pre-commit and CI), code review checklist, new team member onboarding process, and incident response procedures. References Red Hat IT InfoSec secret management policy as the authoritative source. Resolves: MFG-381 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
This is a good guide as a whole. Check the comments as there are some pieces where it is clear AI was used including repeating some of the same points. Also, check if there are any publicly available documents that align to the principles that are being referenced
| # Secure Credential Practices for Developers | ||
|
|
||
| This guide defines the secure credential management practices that all | ||
| contributors to the OpenShift Virtualization Migration Factory must |
There was a problem hiding this comment.
| contributors to the OpenShift Virtualization Migration Factory must | |
| contributors to the Ansible for OpenShift Virtualization Migration project must |
| secret management. Refer to the authoritative source for organization- | ||
| wide requirements: | ||
|
|
||
| > <https://source.redhat.com/departments/strategy_and_operations/it/it_information_security/wiki/secret_management_at_red_hat> |
There was a problem hiding this comment.
Is there a public reference that can be used that illustrates these same primitives?
| or empty strings as values for any credential field. | ||
| 3. **Encrypt sensitive variable files with Ansible Vault.** Any file | ||
| containing real credential values must be encrypted before it | ||
| touches disk. See `inventory.vault.yml.example` for the template. |
There was a problem hiding this comment.
Where is this template file?
|
|
||
| ```bash | ||
| pip install pre-commit | ||
| cd openshift_virtualization_migration |
There was a problem hiding this comment.
Probably dont need this line
| `changeme` placeholder or an empty string. | ||
| 2. Add the variable to `inventory.vault.yml.example` with an empty | ||
| value and a descriptive comment. | ||
| 3. If the secret is used at runtime by AAP, define it in the |
|
|
||
| 2. **Read this guide** and `docs/secure_credential_management.md`. | ||
|
|
||
| 3. **Review the Red Hat secret management policy:** |
| 4. **Set up local vault file** (if running playbooks locally): | ||
|
|
||
| ```bash | ||
| cp inventory.vault.yml.example inventory.vault.yml |
There was a problem hiding this comment.
File once again does not exist
| - How to add a false positive allowlist entry to `.gitleaks.toml` if | ||
| needed. | ||
|
|
||
| ## Incident Response |
There was a problem hiding this comment.
With a public repository, there would need to be some additional considerations including communicating with the community on any steps they need to perform
|
Portions of this PR depends on #23 |
2 participants
Summary
docs/secure_credential_practices.md— developer-facing guide for secure credential handling.gitignoreprotectionsRelated
Test plan
🤖 Generated with Claude Code