Open Source Launch Security Checklist

TL;DR

Your code will be scrutinized. Before going public, scan git history for secrets, add a SECURITY.md file, set up dependency scanning, configure branch protection, and establish a vulnerability disclosure process. The open source community will find issues - be ready to respond.

Code Cleanup 5

Secrets scanned from historyUse git-secrets or truffleHog on entire history.

No hardcoded credentialsEven commented out ones will be found.

Example configs use placeholders.env.example with YOUR_API_KEY, not real values.

No internal URLs or IPsRemove references to internal infrastructure.

License file includedClear licensing prevents legal issues.

Security Infrastructure 5

SECURITY.md file addedHow to report vulnerabilities responsibly.

Dependabot or similar enabledAutomated dependency vulnerability alerts.

Branch protection configuredRequire reviews, prevent force push to main.

CI/CD includes security scanningSAST tools run on every PR.

Signed commits encouragedGPG signing for maintainer commits.

Community Readiness 4

Contributing guidelines include securityHow contributors should handle security issues.

Code of conduct publishedSets expectations for community behavior.

Issue templates include security optionPrivate reporting path for vulnerabilities.

Maintainer response planWho responds to security reports and how fast?

What if there are secrets in my git history?

You have two options: rewrite history (using BFG Repo Cleaner or git filter-branch) or start fresh with a new repo. If secrets were exposed, rotate them immediately regardless of which option you choose.

How should I handle security vulnerability reports?

Acknowledge within 24-48 hours, investigate promptly, coordinate disclosure timing with the reporter, and credit them in your fix. Use GitHub's private vulnerability reporting if available.

Should I worry about supply chain attacks?

Yes. As your project gains users, it becomes a target. Enable 2FA for all maintainers, use signed releases, and be careful about new contributor access. npm/PyPI account compromises are common.

Open Source Launch Security Checklist: 14 Items Before Going Public

TL;DR

Code Cleanup 5

Security Infrastructure 5

Community Readiness 4

Open Source Ready