mancitrus/system-prompts-and-models-of-ai-tools
1
0
Fork 0
mirror of https://github.com/x1xhlol/system-prompts-and-models-of-ai-tools.git synced 2026-06-18 23:39:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0f8dd825c3
system-prompts-and-models-o.../dealix/SECURITY.md
Sami Assiri f79c69ff25 ci(dealix): root GitHub workflows, ai-company track, full Dealix API tree 
Made-with: Cursor
2026-05-01 14:03:52 +03:00

2.4 KiB
Raw Blame History

Security Policy | سياسة الأمن

🛡️ Supported versions

Version Supported
2.x
1.x (EOL)

🐛 Reporting a vulnerability

Please do NOT open a public issue for security vulnerabilities.

Instead, report them privately via:

Include:

  1. A description of the vulnerability.
  2. Steps to reproduce.
  3. Potential impact.
  4. Any suggested fixes.

We aim to acknowledge within 48 hours and provide a resolution timeline within 7 days.

🔒 Security features in this project

  • Config: all secrets loaded from .env via pydantic-settings with SecretStr.
  • Secret scanning: gitleaks + detect-secrets + trufflehog in pre-commit AND CI.
  • Dependency scanning: Dependabot weekly + bandit Python security linter.
  • Docker: non-root user, multi-stage build, minimal base image.
  • Webhooks: HMAC-SHA256 signature verification (WhatsApp).
  • LinkedIn integration: disabled by default (ToS compliance).

🔑 Key rotation guidance

If you believe a key has been exposed:

  1. Immediately rotate the key in the provider's dashboard:
    • Anthropic Console → API Keys → regenerate
    • DeepSeek, Groq, GLM, Google, OpenAI: regenerate in respective consoles
    • HubSpot, Resend, SendGrid: regenerate
    • WhatsApp Business: regenerate access token
  2. Update .env with the new key.
  3. Redeploy.
  4. Check GitHub → Settings → Secret scanning alerts.
  5. Run gitleaks detect --source . --report-format json to scan history.

Pre-commit checklist for maintainers

Before merging any PR:

  • gitleaks pre-commit hook passed
  • No new files in .env* except .env.example
  • No new domain-specific secrets in core/ or integrations/
  • All new integrations use settings.*_api_key.get_secret_value() pattern

🇸🇦 بالعربية

الإبلاغ عن ثغرات

لا تفتح issue عام للثغرات الأمنية. أرسل إلى: security@ai-company.sa

نهدف للرد خلال ٤٨ ساعة وتقديم جدول زمني للحل خلال ٧ أيام.

تدوير المفاتيح

إذا تسرّب مفتاح:

  1. فوراً دوّر المفتاح من لوحة المزود.
  2. حدّث .env.
  3. أعد النشر.
  4. افحص تنبيهات GitHub secret scanning.