Skip to content

[Security] Review & Approval: Secret Rotation Policy v1.0 #15

Description

@kurtiz

As part of our ongoing efforts to strengthen OSSAfrica’s security posture and align with OpenSSF best practices, I have drafted a comprehensive Secret Rotation Policy. This document aims to minimize the risk of unauthorized access by mandating regular updates to our cryptographic keys and credentials.

Scope of Work (What has been drafted)

I have created a v1.0 draft that covers the following key areas:

  • Classification: A framework for categorizing secrets (Critical, High, Medium, Low) based on potential impact.
  • Schedules: Defined timelines for rotation (e.g., 90 days for Critical keys vs. 365 days for Medium).
  • Procedures: distinct workflows for Automated (preferred) vs. Manual rotation.
  • Incident Response: Protocols for immediate "Emergency Rotation" in the event of a compromise.
  • Audit Mechanisms: Requirements for quarterly compliance checks.

Action Required: Core Team Review

Before we adopt this as an official standard, I need the Core Team to review the draft for feasibility and approval. Please specifically check:

  1. Are the rotation timelines realistic for our current maintainer capacity?
  2. Do we have the necessary tooling in place (e.g., Vault, GitHub Secrets) to support the "Automated Rotation" section?

Link to Draft

Develop Secret Rotation Policy for OSSAfrica Infrastructure

Link to Repository

security

Tasks

  • CoreTeam to read and comment on the draft.
  • Discuss any blockers in the next sync meeting.
  • Final vote/consensus for approval.
  • Merge policy into ossafrica/governance (or relevant repo).

Metadata

Metadata

Labels

auditCode quality checks or compliance auditsdocumentationImprovements or additions to documentationsecuritySecurity-related issues or fixes

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions