- All configuration files in this repository use localhost URLs or environment variables
- No hardcoded API keys, tokens, or secrets
- Example configurations demonstrate proper security patterns
- Personal access tokens (GitHub, Azure, etc.)
- API keys from external services
- Production credentials or connection strings
- User-specific MCP configurations with secrets
.vscode/mcp.json- β Only localhost URLs and development pathsmcp-sdk-dotnet/appsettings*.json- β Uses environment variablesazure-functions-mcp/local.settings.json.example- β Example file only- All source files - β No secrets embedded
%USERPROFILE%\.cursor\mcp.json-β οΈ May contain personal tokens- Local environment variables -
β οΈ Keep private
Before pushing changes:
-
Run security scan:
# Search for potential secrets git grep -E "(ghp_|sk-|token.*[\"'][a-zA-Z0-9_-]{20,})" || echo "No secrets found"
-
Check for new config files:
git status # Verify no personal config files are staged -
Validate environment variable usage:
- Ensure all secrets use
${VARIABLE_NAME}orEnvironment.GetEnvironmentVariable() - No hardcoded credentials in appsettings.json
- Ensure all secrets use
{
"ConnectionStrings": {
"Database": "${DATABASE_CONNECTION_STRING}"
},
"ApiKeys": {
"OpenAI": "${OPENAI_API_KEY}"
}
}{
"ApiKeys": {
"OpenAI": "sk-1234567890abcdef..."
}
}- Immediately revoke the exposed secret
- Remove from git history:
git filter-branch --force --index-filter \ 'git rm --cached --ignore-unmatch path/to/file' \ --prune-empty --tag-name-filter cat -- --all - Generate new secrets
- Update all systems using the old secret
If you discover security issues:
- Create a private issue or security advisory
- Do not expose vulnerabilities in public issues
- Follow responsible disclosure practices
Remember: When in doubt, use environment variables! π‘οΈ