跳到主要内容

Plugin Security Standards

Handling Sensitive Data

Identifying Sensitive Data

The following types of data are considered sensitive:

  • Authentication information (token, password, api-key, etc.)
  • Personal Identifiable Information (name, email, phone number, etc.)
  • Project Confidential Information (business plans, source code, etc.)
  • System Configuration Information (database connection strings, etc.)

Handling Principles

  1. No Hardcoding: It is strictly prohibited to hardcode sensitive information in the code
  2. Use Secure Input: Obtain sensitive data through secure input mechanisms
  3. Encrypted Storage: Sensitive data must be encrypted during storage and transmission
  4. Minimize Exposure: Expose sensitive data only when necessary
  5. Timely Cleanup: Clean up sensitive data in memory after use

Code Examples

// Incorrect: Hardcoded token
const token = 'hardcoded-token-12345';

// Correct: Obtain token through secure input
const token = core.getInput('token');

// Clean up after use
function cleanupSensitiveData() {
if (token) {
token = null;
}
}

Input Parameter Security Validation

All input parameters must be strictly validated:

Parameter TypeValidation RulesExample
StringLength limit, format checkEmail format, URL format
NumberRange check, type checkPositive number, negative number range restriction
FilePath security checkPrevent path traversal attacks
ListElement validation, length limitMaximum number of elements restriction