[{"data":1,"prerenderedAt":207},["ShallowReactive",2],{"blog-checklists/open-source-checklist":3},{"id":4,"title":5,"body":6,"category":184,"date":185,"dateModified":185,"description":186,"draft":187,"extension":188,"faq":189,"featured":187,"headerVariant":192,"image":193,"keywords":193,"meta":194,"navigation":195,"ogDescription":196,"ogTitle":193,"path":197,"readTime":193,"schemaOrg":198,"schemaType":199,"seo":200,"sitemap":201,"stem":202,"tags":203,"twitterCard":205,"__hash__":206},"blog/blog/checklists/open-source-checklist.md","Open Source Security Checklist: 14-Item Guide Before Going Public",{"type":7,"value":8,"toc":178},"minimark",[9,16,19,22,47,68,88,103,114,119,122,125,147,166],[10,11,12],"tldr",{},[13,14,15],"p",{},"This 14-item checklist covers the most critical security issues before open sourcing: secrets in git history, repository security, and documentation. 5 critical items must be fixed before launch, 7 important items within the first week, and 2 recommended items when you can.",[13,17,18],{},"Making a repo public is a one-way door for secrets. Once your git history is out there, every API key and password you ever committed is effectively compromised, even the ones you deleted in later commits. Take an hour to go through this before you hit that button, because undoing it afterward is a nightmare.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Deleted files and old commits still exist in history","Scan entire git history for secrets",[27,32],{"description":33,"label":34},"Use git-filter-repo or start fresh with squashed commit","Remove or rewrite history if secrets found",[27,36],{"description":37,"label":38},"If secrets were in history, assume they are compromised","Rotate any exposed credentials",[27,40],{"description":41,"label":42},"Tell researchers how to report vulnerabilities privately","Create SECURITY.md file",[27,44],{"description":45,"label":46},"Check for SQL injection, XSS, and hardcoded credentials","Review for security vulnerabilities",[23,48,51,54,57,60,64],{"title":49,"count":50},"Secrets and Sensitive Data","5",[27,52],{"description":53,"label":30},"Use trufflehog, gitleaks, or similar. Deleted files and old commits still exist in history. How to scan git for secrets",[27,55],{"description":56,"label":34},"Use git-filter-repo or BFG Repo-Cleaner. Or start fresh with a squashed commit. How to remove secrets from git history",[27,58],{"description":59,"label":38},"If secrets were in history, assume they are compromised. Generate new keys immediately. How to rotate exposed credentials",[27,61],{"description":62,"label":63},"Replace .env with .env.example containing placeholder values. Document required variables. How to create .env.example","Create proper example config files",[27,65],{"description":66,"label":67},"Ensure .env, credentials, private keys, and IDE settings are ignored before going public. How to secure .env files","Update .gitignore",[23,69,72,76,80,84],{"title":70,"count":71},"Repository Security","4",[27,73],{"description":74,"label":75},"Alerts you if secrets are accidentally committed after going public. How to enable secret scanning","Enable GitHub secret scanning",[27,77],{"description":78,"label":79},"Automated PRs for vulnerable dependencies. Essential for maintaining security over time. How to enable Dependabot","Enable Dependabot security updates",[27,81],{"description":82,"label":83},"Require PR reviews for main branch. Prevent direct pushes that could introduce vulnerabilities. How to configure branch protection","Configure branch protection",[27,85],{"description":86,"label":87},"Ensure workflows do not expose secrets and follow security best practices. How to secure GitHub Actions","Review GitHub Actions workflows",[23,89,92,95,99],{"title":90,"count":91},"Security Documentation","3",[27,93],{"description":94,"label":42},"Tell researchers how to report vulnerabilities privately. Include contact and response time. How to create a security policy",[27,96],{"description":97,"label":98},"Explain security-relevant configuration options and deployment recommendations in README. How to document security","Document security considerations",[27,100],{"description":101,"label":102},"Choose an appropriate open source license. Without one, all rights are reserved by default. How to choose a license","Add license file",[23,104,107,110],{"title":105,"count":106},"Code Review","2",[27,108],{"description":109,"label":46},"Check for SQL injection, XSS, hardcoded credentials, and other common vulnerabilities. How to do a security code review",[27,111],{"description":112,"label":113},"Run npm audit, pip-audit, or equivalent. Fix critical vulnerabilities before release. How to audit dependencies","Audit dependencies for vulnerabilities",[115,116,118],"h2",{"id":117},"public-means-permanent","Public Means Permanent",[13,120,121],{},"Once your code is public, assume it has been scraped and archived. Even if you delete the repo later, someone may have a copy. Secrets committed to public repositories are compromised forever.",[13,123,124],{},"Take time to audit before going public. An hour spent checking git history could save you from a major security incident. When in doubt, start with a fresh repo containing only the commits you want public.",[126,127,128,135,141],"faq-section",{},[129,130,132],"faq-item",{"question":131},"Do I need to rewrite git history before open sourcing?",[13,133,134],{},"If your git history contains secrets, yes. Even deleted files remain in git history. Use tools like git-filter-repo or BFG Repo-Cleaner to remove secrets from history. Alternatively, start fresh with a squashed commit.",[129,136,138],{"question":137},"Should I have a SECURITY.md file?",[13,139,140],{},"Yes. SECURITY.md tells security researchers how to report vulnerabilities privately instead of creating public issues. Include contact information, expected response time, and any bug bounty information.",[129,142,144],{"question":143},"What if I accidentally pushed secrets to a public repo?",[13,145,146],{},"Immediately rotate all exposed credentials. Then remove them from git history or make the repo private while you clean up. Assume the secrets are compromised regardless of how quickly you act.",[148,149,150,156,161],"related-articles",{},[151,152],"related-card",{"description":153,"href":154,"title":155},"Secure your repository settings","/blog/checklists/github-repo-checklist","GitHub Repo Security",[151,157],{"description":158,"href":159,"title":160},"Keep secrets out of code","/blog/checklists/environment-variables-checklist","Environment Variables",[151,162],{"description":163,"href":164,"title":165},"Clean your repository history","/blog/how-to/remove-secrets-git-history","Remove Secrets from Git",[167,168,171,175],"cta-box",{"href":169,"label":170},"/","Start Free Scan",[115,172,174],{"id":173},"scan-your-repo-before-going-public","Scan Your Repo Before Going Public",[13,176,177],{},"Check for exposed secrets and security issues in your codebase.",{"title":179,"searchDepth":180,"depth":180,"links":181},"",2,[182,183],{"id":117,"depth":180,"text":118},{"id":173,"depth":180,"text":174},"checklists","2026-01-30","Security checklist for open source projects. Remove secrets, secure your repo settings, and prepare your codebase before making it public on GitHub.",false,"md",[190,191],{"question":131,"answer":134},{"question":137,"answer":140},"green",null,{},true,"Security checklist for open sourcing your project safely.","/blog/checklists/open-source-checklist","[object Object]","HowTo",{"title":5,"description":186},{"loc":197},"blog/checklists/open-source-checklist",[204],"Security Checklist","summary_large_image","HqwSn1ELGeB6_TiQAQ32MOJY8uCrq9K6Obp2bnpbbVs",1775843931028]