This project consists of GitHub App creation tools. Security updates are applied to the main branch.

If you discover a security vulnerability in this project, please report it responsibly:

1. Do NOT create a public GitHub issue for security vulnerabilities
2. Send a private report via one of these methods:
   • GitHub Security Advisories (preferred): Create a private security advisory
   • Email: Create a new issue with title "Security Concern" (keep details private)

When reporting a vulnerability, please include:

• Description of the vulnerability
• Potential impact on app security or credentials
• Steps to reproduce the issue
• Suggested fix (if you have one)
• Your contact information for follow-up

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 1-3 days
  • High: 1-2 weeks
  • Medium: 2-4 weeks
  • Low: Next release cycle

This repository handles sensitive GitHub App credentials:

• Private Keys: Never committed (.pem files in .gitignore)
• App Credentials: Saved locally only (*credentials.txt in .gitignore)
• Temporary Codes: Expire after 1 hour but should be treated as sensitive
• No Cloud Storage: All credentials remain on local machine

Files created by the tools:

• github-app-private-key.pem - App's private key (RSA 2048-bit)
• github-app-credentials.txt - App ID, slug, webhook secret, client credentials
• Custom .pem files if specified

All these files are gitignored and must never be committed.

The shell scripts:

• Read-Only Operations: Don't modify system files
• Local Execution: No data sent to third parties
• GitHub API Only: Only communicate with GitHub's official API
• User Confirmation: Require user action for app creation
• No Credential Logging: Never echo or log credentials

When creating app manifests:

• Review Permissions: Only request necessary permissions
• Principle of Least Privilege: Start with minimal permissions
• Event Subscriptions: Only subscribe to needed events
• Webhook URLs: Ensure HTTPS for webhook endpoints
• Public vs Private: Default to private apps unless needed

1. Review Manifest: Carefully review permissions before submission
2. Minimal Permissions: Request only what's needed
3. Test First: Test with read-only permissions first
4. Secure Webhooks: Use HTTPS webhook URLs
5. Delete Test Apps: Remove apps created during testing

1. Local Only: Keep credentials on local machine initially
2. GitHub Secrets: Move to GitHub Secrets for Actions use
3. Delete Locally: Remove local credentials after secure storage
4. No Sharing: Never share private keys via email/chat
5. Rotate Keys: Regenerate keys if potentially compromised

1. Use Secrets: Store APP_ID and PRIVATE_KEY in GitHub Secrets
2. Limit Scope: Use environment protection rules
3. Token Expiry: App tokens expire (default 1 hour)
4. Audit Logs: Monitor app usage in GitHub audit logs
5. Revoke If Needed: Can revoke app access anytime

• Codes from manifest flow expire after 1 hour
• Codes are single-use only
• Treat codes as sensitive (can create app credentials)

• Generated by GitHub (RSA 2048-bit)
• Can't be recovered if lost
• Must generate new key if compromised
• Maximum 10 keys per app

The github-app-credentials.txt contains:

• App ID (not secret but sensitive)
• App slug (public)
• Webhook secret (sensitive)
• Client ID (not secret but sensitive)
• Client secret (sensitive)

Security concerns within scope:

• Credential handling and storage
• Script security vulnerabilities
• Manifest permission issues
• Accidental credential exposure
• API security

Out of scope:

• GitHub platform security
• GitHub Actions security (general)
• Third-party dependency security
• Network security
• Operating system security

The .gitignore includes:

*.pem
*credentials.txt
*-private-key.pem
github-app-*.pem
github-app-*.txt

Scripts check for:

• Required dependencies (jq, curl)
• Valid input format
• Successful API responses
• Proper file permissions

• No external package managers
• No third-party scripts
• Only GitHub API communication
• Standard shell utilities only

Once a security issue is fixed:

1. A security advisory will be published (if applicable)
2. Credit will be given to the reporter (unless anonymity is requested)
3. Details will be disclosed after users have had time to update
4. CVE will be requested for critical vulnerabilities

If credentials are compromised:

1. Immediately: Go to GitHub App settings
2. Revoke: Delete the compromised private key
3. Generate: Create new private key
4. Update: Update GitHub Secrets with new credentials
5. Audit: Review app access logs
6. Notify: If public exposure, notify via security advisory

For non-security questions, please use the regular issue tracker or see CONTRIBUTING.md.

For security concerns, always use private channels.