This document outlines security best practices for working with this Ansible repository.
-
Never commit sensitive information:
- Passwords
- API tokens/keys
- Private keys
- Personal paths (e.g.,
/Users/yourname/) - IP addresses of internal systems
- Hostnames of internal systems
-
Use Ansible Vault for secrets:
# Encrypt sensitive data ansible-vault encrypt_string --vault-id my_project@prompt 'secret_value' --name 'secret_key' # Encrypt entire files ansible-vault encrypt vars/secrets.yml
-
Use variables for paths:
- Define paths relative to playbook location or use variables
- Avoid hardcoding absolute paths
Before committing code, run these checks:
# Check for personal paths
grep -r "/Users/" --include="*.yml" --include="*.yaml" .
# Check for common sensitive data patterns
grep -r "password\|secret\|token\|key" --include="*.yml" --include="*.yaml" .For continuous integration, consider adding:
- Pre-commit hooks for automated security checks
- Ansible-lint with security rules enabled
- Secret scanning tools like detect-secrets or GitGuardian
- Infrastructure as Code scanners like tfsec for Terraform code
If you discover a security vulnerability in this repository, please report it by:
- Do not create a public GitHub issue
- Email the repository owner directly with details mailto:[email protected]
- Provide sufficient information to reproduce and understand the issue
Keep all dependencies up-to-date:
# Update Ansible collections
ansible-galaxy collection install --upgrade <collection>
# Check for outdated Python dependencies
pip list --outdatedThis document should be reviewed and updated regularly as part of the project maintenance.