Skip to content

SECURITY.md

Latest commit

 

History

History
96 lines (68 loc) · 3.63 KB

SECURITY.md

File metadata and controls

96 lines (68 loc) · 3.63 KB

Security Best Practices

This is a non-custodial wallet — security is critical. Users trust us with their keys.

Golden Rules

1. Never Log Sensitive Data

Private keys, mnemonics, and passwords must never appear in logs.

2. Use Secure Storage

Store sensitive data (keys, mnemonics) using SecureStorageService, which uses the device's secure keychain/keystore.

3. Validate All Input

Never trust user input or API responses. Validate before processing.

4. No Secrets in Code

Environment variables and API keys should be in .env files, not hardcoded.

Sensitive Data Checklist

Data Storage Logging
Private keys SecureStorage only Never
Mnemonic seeds SecureStorage only Never
Passwords/PINs SecureStorage only Never
Addresses Any storage Safe
Transaction hashes Any storage Safe

Supply Chain

Review dependency updates carefully — supply chain attacks are real. The repo has several layers of automated defense:

Freshness window

pnpm-workspace.yaml sets minimumReleaseAge: 10080 (7 days). Packages published in the last week are refused at install time. This is our primary defense against compromised-publish attacks, which are typically detected and yanked within hours to days. Exceptions live under minimumReleaseAgeExclude and must be justified in a comment (e.g. a security patch that we need before the window elapses).

Transitive-dep pins

Vulnerable transitives we can't upgrade directly are pinned under pnpm.overrides in pnpm-workspace.yaml. Use per-major pins (pkg@N: x.y.z) — range-style overrides like pkg@>=a <b don't actually rewrite pnpm's resolution when the caller requests a narrower range.

Commands

pnpm audit                            # Fails on any advisory
pnpm audit --prod --audit-level=high  # What CI runs to block PRs

CI-enforced (see .github/workflows/pre-merge.yml)

  • pnpm audit — moderate+ advisories in prod deps block merge.
  • Lockfile drift checkpnpm-lock.yaml must be in sync with every package.json.
  • Gitleaks — scans the PR diff for committed secrets. Local allowlist lives in .gitleaks.toml; add a new entry rather than disabling a rule globally.
  • Pinned actions — every GitHub Action is pinned to a full commit SHA with a trailing version comment. Don't use floating tags (@v4, @main) — Dependabot handles SHA bumps.
  • Least-privilege permissionscontents: read is the default; jobs elevate only what they need. Every actions/checkout uses persist-credentials: false.

Scheduled

  • CodeQL — JS/TS static analysis weekly + on PR; findings go to the Security tab.
  • OpenSSF Scorecard — weekly posture score, published to the public Scorecard API.
  • SBOM — CycloneDX SBOM generated on every push to main and weekly; 90-day artifact retention.
  • Dependabot — weekly grouped updates for npm and github-actions. Framework-tier majors (React, React Native, Expo, TypeScript, ESLint) are ignored and bumped manually.

Pre-push (tools/pre-push)

Gitleaks runs locally against the commits you're about to push. It soft-skips if gitleaks isn't installed — brew install gitleaks enables it. The authoritative scan is still the CI job.

When in Doubt

If you're unsure whether something is secure, ask. Security mistakes are expensive.