Skip to content

Security: scthornton/prisma-airs-jupyter

Security

SECURITY.md

Security Policy

πŸ”’ Reporting Security Issues

If you discover a security vulnerability in this repository, please do not use the public issue tracker. Instead:

  1. Create a private security advisory on GitHub (Security tab β†’ Advisories β†’ New draft)
  2. Or contact the repository owner directly

Security reports will be acknowledged within 48 hours.

πŸ›‘οΈ Security Best Practices

API Key Safety

⚠️ CRITICAL: Never commit API keys to this repository

  • βœ… Always use environment variables for credentials
  • βœ… Clear notebook outputs before committing: Cell β†’ All Output β†’ Clear
  • βœ… Review notebooks for hardcoded secrets before pushing
  • βœ… Add .env files to .gitignore (already configured)

Before Committing

Run this checklist before every commit:

# 1. Clear all notebook outputs
jupyter nbconvert --clear-output --inplace *.ipynb

# 2. Search for potential secrets (should return nothing)
grep -r "sk-" *.ipynb
grep -r "api_key.*=" *.ipynb | grep -v "os.getenv"

# 3. Check for environment variable files
ls -la | grep .env

Recommended Environment Setup

# Set environment variables in your shell config (~/.zshrc, ~/.bashrc)
export PANW_AI_SEC_API_KEY="your-key"
export PRISMA_AIRS_PROFILE="your-profile"
export OPENAI_API_KEY="your-key"

# Or use a .env file (which is in .gitignore)
echo 'PANW_AI_SEC_API_KEY=your-key' > .env
echo 'PRISMA_AIRS_PROFILE=your-profile' >> .env
echo 'OPENAI_API_KEY=your-key' >> .env

πŸ“¦ Dependency Security

Keeping Dependencies Updated

# Check for outdated packages
pip list --outdated

# Update all dependencies
pip install --upgrade -r requirements.txt

Dependency Vulnerability Scanning

This repository uses:

  • Dependabot - Automatically creates PRs for dependency updates
  • GitHub Security Advisories - Alerts for known vulnerabilities

To manually check for vulnerabilities:

pip install safety
safety check -r requirements.txt

🚨 Known Risks & Mitigations

Risk: Notebook Output May Contain Sensitive Data

Mitigation:

  • Always clear outputs before sharing: Cell β†’ All Output β†’ Clear
  • Review API responses for PII or sensitive information
  • The .gitignore is configured to ignore notebook checkpoints

Risk: Test Prompts May Trigger API Rate Limits

Mitigation:

  • Use the synchronous notebook for individual tests
  • Add delays between batch requests in the asynch notebook
  • Monitor your Prisma AIRS API usage dashboard

Risk: Hardcoded Test Data in Notebooks

Mitigation:

  • Example prompts use fake/sanitized data only
  • Do not use real PII, credentials, or production data in tests
  • Replace example data before sharing notebooks

πŸ“‹ Supported Versions

This is a testing repository. Security updates apply to:

Version Supported
Latest commit (main) βœ… Supported
Older commits ❌ Not supported - please update

πŸ” Security Features in Notebooks

The notebooks include built-in security practices:

  • βœ… Environment variable usage by default
  • βœ… No hardcoded credentials in shared versions
  • βœ… Clear documentation on credential management
  • βœ… Error handling for API failures
  • βœ… Timeout configurations to prevent hanging requests

πŸ“š Additional Resources

βœ… Security Checklist for Contributors

Before submitting any changes:

  • No API keys or secrets in code
  • All notebook outputs cleared
  • Environment variables used for credentials
  • .gitignore includes all sensitive file patterns
  • No real PII or production data in examples
  • Dependencies are up to date
  • Code follows security best practices

Last Updated: October 2025

There aren’t any published security advisories