Plugin Security Standards
Handling Sensitive Data
Identifying Sensitive Data
The following types of data are considered sensitive:
- Authentication information (token, password, api-key, etc.)
- Personal Identifiable Information (name, email, phone number, etc.)
- Project Confidential Information (business plans, source code, etc.)
- System Configuration Information (database connection strings, etc.)
Handling Principles
- No Hardcoding: It is strictly prohibited to hardcode sensitive information in the code
- Use Secure Input: Obtain sensitive data through secure input mechanisms
- Encrypted Storage: Sensitive data must be encrypted during storage and transmission
- Minimize Exposure: Expose sensitive data only when necessary
- Timely Cleanup: Clean up sensitive data in memory after use
Code Examples
// Incorrect: Hardcoded token
const token = 'hardcoded-token-12345';
// Correct: Obtain token through secure input
const token = core.getInput('token');
// Clean up after use
function cleanupSensitiveData() {
if (token) {
token = null;
}
}
Input Parameter Security Validation
All input parameters must be strictly validated:
| Parameter Type | Validation Rules | Example |
|---|---|---|
| String | Length limit, format check | Email format, URL format |
| Number | Range check, type check | Positive number, negative number range restriction |
| File | Path security check | Prevent path traversal attacks |
| List | Element validation, length limit | Maximum number of elements restriction |