Skip to content

Security: amarkdotdev/patchpulse

Security

SECURITY.md

πŸ”’ PatchPulse Security - API Key Protection

Security Measures Implemented

API Key Protection (ZERO TOLERANCE LEAKAGE)

  1. Environment Variables Only

    • API key stored ONLY in .env file
    • Never hardcoded in source code
    • Never committed to git (.env in .gitignore)

  2. Logging Protection

    • All log messages sanitized before logging
    • API key replaced with [REDACTED] in any log output
    • Error messages never contain API key
    • Custom sanitize_for_logging() function

  3. Response Validation

    • Every API response validated before sending
    • validate_no_key_leakage() checks all response data
    • API key automatically removed if detected
    • Critical security alert logged if key found

  4. Error Handling

    • All exception messages sanitized
    • Stack traces checked for API key
    • Generic error messages to users
    • Detailed errors only in secure logs

  5. Code-Level Protection

    • API key format validation without exposure
    • Key only accessed via os.getenv()
    • Never passed as function parameter
    • Never included in data structures

  6. Rate Limiting

    • API call rate limiting (10 calls/minute)
    • Prevents abuse and key exposure attempts
    • Per-identifier tracking

  7. Docker Security

    • Environment variables via env_file
    • No key in Docker image layers
    • No key in container environment inspection

Security Checklist

  • βœ… API key never in source code
  • βœ… API key never in git repository
  • βœ… API key never in logs
  • βœ… API key never in API responses
  • βœ… API key never in error messages
  • βœ… API key never in stack traces
  • βœ… All strings sanitized before logging
  • βœ… Response validation before sending
  • βœ… Rate limiting implemented
  • βœ… Secure error handling

Testing Security

To verify API key is never exposed:

# Check logs
docker compose logs backend | grep -i "deepseek\|api.*key" | grep -v "REDACTED"

# Check API responses
curl http://localhost:8000/api/v1/decisions | grep -i "api.*key\|deepseek"

# Check environment
docker compose exec backend env | grep -i "deepseek\|api.*key"

If any of these return results (except REDACTED), there's a security issue.

Incident Response

If API key is ever detected in logs/responses:

  1. Immediately rotate the API key
  2. Review all logs for exposure
  3. Check git history for accidental commits
  4. Update security measures
  5. Document incident

Security is our top priority. The API key is protected with multiple layers of defense.

There aren’t any published security advisories