Skip to content

Security: cuberhaus/WinDotfiles

Security

SECURITY.md

Security Policy — WinDotfiles

Reporting a Vulnerability

If you discover a security vulnerability, please email polcg10@gmail.com. Do not open a public issue.

Security Considerations

Execution Policy

  • During bootstrap, setup-dotfiles.ps1 raises the CurrentUser ExecutionPolicy to Unrestricted so Chocolatey and chezmoi can install without signature prompts.
  • The script reverts it to RemoteSigned automatically at the end of the run. Pass -KeepUnrestricted to opt out of the revert.
  • Unrestricted allows any PowerShell script to run without signature verification, so the shorter the window it stays in that state, the better.

git safe.directory

  • setup-dotfiles.ps1 adds two specific entries: the chezmoi source directory and $USERPROFILE/cuberhaus/* (the cloned-repos pattern).
  • It does not use the wildcard safe.directory = *, which would trust every directory on the system and allow running git hooks from repositories owned by other users.
  • Override DOTFILES_SAFE_REPOS_GLOB before running setup to point at a different repos root.

Review Before Running

  • Elevated/admin PowerShell scripts can modify system settings, install software, and change registry keys.
  • Always review scripts before running them, especially after pulling updates.
  • Use git diff to inspect changes before running updated scripts.
  • Do not run scripts from untrusted forks without thorough review.

Sensitive Data

  • Do not store credentials, tokens, or private keys in dotfiles.
  • Windows Credential Manager or a password manager should be used for secrets.
  • Check that sensitive paths (%USERPROFILE%\.ssh\, registry exports) are excluded from the repo.

Secret Scanning

  • A gitleaks pre-commit hook is available — run make hooks to install it. It scans staged files and blocks the commit on findings.
  • The same scanner runs in CI on every push/PR via .github/workflows/secrets.yml, plus weekly on a schedule (so newly-added detection rules get a chance to flag old commits).
  • For an ad-hoc sweep of the whole working tree, run make pre-commit-check (gitleaks detect --redact --no-banner --source .).
  • Install gitleaks with choco install gitleaks or winget install gitleaks.gitleaks. The pre-commit hook skips silently if gitleaks isn't installed.

Recommendations

  • Test scripts in a VM or Windows Sandbox before running on your primary machine.
  • Keep a changelog of what each script modifies for easier auditing.
  • Sign your PowerShell scripts with a code-signing certificate if distributing to others.

There aren't any published security advisories