bisco/azionelab
1
0
Fork 0
generated from bisco/codex-bootstrap
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c90da588415e6d6b082ef97ee7a520e5b0dd1e8
azionelab/.codex/security.md
bisco 05b06d409f Initial commit
2026-04-28 10:28:32 +02:00

1.7 KiB
Raw Blame History

Security rules

These rules are always active.

Codex MUST NOT:

  • commit secrets, tokens, passwords, private keys, API keys, or real credentials;
  • disable authentication, authorization, TLS verification, CSRF protection, input validation, or security checks unless explicitly requested and documented in an ADR;
  • introduce privileged containers unless explicitly justified in an ADR;
  • use latest container tags;
  • add unnecessary open ports;
  • log credentials, tokens, session IDs, cookies, authorization headers, or sensitive payloads;
  • weaken file permissions without justification;
  • introduce dependencies without explaining why they are needed;
  • ignore security-sensitive errors;
  • store secrets in plain YAML, JSON, TOML, dotenv, shell scripts, Dockerfiles, or documentation.

Codex MUST:

  • prefer least privilege for users, containers, services, and filesystem permissions;
  • prefer reproducible builds;
  • treat CI/CD, Docker, Ansible, deployment, reverse proxy, and authentication files as security-sensitive;
  • document security-relevant assumptions;
  • flag unclear security requirements before implementing risky behavior;
  • update docs/security.md when security behavior changes.

Security-sensitive changes

The following changes require explicit attention and may require an ADR:

  • authentication or authorization changes;
  • network exposure changes;
  • TLS/certificate behavior changes;
  • Docker privilege, capabilities, users, volumes, or network changes;
  • Ansible privilege escalation changes;
  • logging changes involving user data or sensitive data;
  • dependency additions;
  • deployment topology changes;
  • backup, restore, retention, or data deletion behavior changes.
Reference in New Issue View Git Blame Copy Permalink