一键导入
secrets-management
Secure credential handling using environment variables, GitHub secrets, and never committing secrets to source code
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Secure credential handling using environment variables, GitHub secrets, and never committing secrets to source code
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
C4 architecture model, security architecture, Mermaid diagrams, SECURITY_ARCHITECTURE.md, and comprehensive documentation per Hack23 Secure Development Policy
AI-augmented development controls, GitHub Copilot governance, LLM security, AI-generated code review per Hack23 Secure Development Policy
EU AI Act compliance, OWASP LLM security, responsible AI practices for parliamentary data and MCP server applications
Enforce code quality with ESLint, TypeScript strict mode, Knip unused detection, and quality gates for MCP servers
ISO 27001, NIST CSF 2.0, CIS Controls v8.1, EU CRA compliance mapping, multi-standard alignment per Hack23 ISMS policies
Contribution process with PR workflow, code review standards, commit conventions, and open source best practices
| name | secrets-management |
| description | Secure credential handling using environment variables, GitHub secrets, and never committing secrets to source code |
| license | Apache-2.0 |
Ensure secure handling of API keys, tokens, and credentials in MCP server development. Zero tolerance for hardcoded secrets.
// ❌ NEVER: Hardcoded credentials
const API_KEY = "sk_live_abc123def456";
// ✅ CORRECT: Environment variables
const API_KEY = process.env['EP_API_KEY'] ?? '';
// MCP server configuration
const config = {
timeout: Number.parseInt(process.env['EP_REQUEST_TIMEOUT_MS'] ?? '10000'),
baseUrl: process.env['EP_BASE_URL'] ?? 'https://data.europarl.europa.eu/api/v2',
};
# .github/workflows/ci.yml
env:
EP_API_KEY: ${{ secrets.EP_API_KEY }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
MCP server tokens are injected at runtime by the GitHub Copilot environment via .github/copilot-mcp.json. Secrets are never stored in configuration files — GitHub resolves ${{ secrets.* }} references during workflow execution:
# .github/copilot-mcp.json uses secret references (resolved by GitHub at runtime)
# The MCP client receives actual token values — never template strings
# See .github/copilot-mcp.json for the canonical configuration
Environment variables for local development:
export GITHUB_TOKEN="ghp_your_token_here" # Set in shell, never in code
.env
.env.local
.env.production
*.key
*.pem
secrets/
credentials/
# GitHub enables secret scanning automatically
# Additional: npm audit, CodeQL analysis
If a secret is committed:
Core policies:
Supporting policies: