Thank you for your interest in contributing to SecureVault! This document provides guidelines and information for contributors.
- Use the bug report template
- Include steps to reproduce
- Provide system information
- Check for existing issues first
- Use the feature request template
- Explain the use case
- Consider security implications
- Discuss implementation approach
- DO NOT create public issues for security vulnerabilities
- Email: security@securevault.dev
- Use our PGP key for sensitive reports
- Follow responsible disclosure practices
- Fix typos and improve clarity
- Add examples and tutorials
- Translate to other languages
- Update API documentation
- Bug fixes
- New features
- Performance improvements
- Test coverage improvements
# 1. Fork the repository on GitHub
# 2. Clone your fork
git clone https://github.com/yourusername/securevault.git
cd securevault
# 3. Set up development environment
./scripts/dev-setup.sh
# 4. Create a branch for your changes
git checkout -b feature/amazing-feature
# 5. Make your changes
# 6. Test your changes
python -m pytest tests/ -v
# 7. Commit and push
git commit -m "Add amazing feature"
git push origin feature/amazing-feature
# 8. Create a Pull Request# Install development dependencies
pip install -r requirements-dev.txt
# Set up pre-commit hooks
pre-commit install
# Run development server
./start.sh --dev
# Run tests with coverage
pytest --cov=app tests/# Use Black for formatting
black app/ tests/
# Use isort for imports
isort app/ tests/
# Use flake8 for linting
flake8 app/ tests/
# Use mypy for type checking
mypy app/- Test Coverage: Maintain >90% coverage
- Type Hints: All functions must have type hints
- Documentation: Docstrings for all public functions
- Security: All security-related code must be reviewed
- All PRs touching security code require security review
- Cryptographic changes need cryptography expert review
- New dependencies must be security-audited
- All security tests must pass
# ✅ Good: Use secure random for cryptographic purposes
import secrets
salt = secrets.token_bytes(16)
# ❌ Bad: Don't use regular random for security
import random
salt = random.randbytes(16) # NEVER DO THIS
# ✅ Good: Clear sensitive data from memory
password = get_password()
try:
# Use password
process_password(password)
finally:
# Clear from memory
password = None
del password
# ✅ Good: Use constant-time comparison
import hmac
if hmac.compare_digest(provided_hash, expected_hash):
# Authenticated# Unit tests - fast, isolated
pytest tests/unit/ -v
# Integration tests - test component interaction
pytest tests/integration/ -v
# Security tests - cryptography and security features
pytest tests/security/ -v
# Performance tests - benchmarks and load testing
pytest tests/performance/ -v --benchmark-only- Overall: >90% line coverage
- Security modules: >95% line coverage
- New features: 100% line coverage
- Bug fixes: Must include regression test
def encrypt_credential(data: str, key: bytes) -> bytes:
"""
Encrypt credential data using AES-256-GCM.
Args:
data: The credential data to encrypt
key: 256-bit encryption key derived from master password
Returns:
Encrypted data as bytes
Raises:
EncryptionError: If encryption fails
Security:
Uses AES-256-GCM for authenticated encryption.
Each encryption uses a unique random IV.
"""- All endpoints must have OpenAPI documentation
- Include request/response examples
- Document error codes and responses
- Security considerations for each endpoint
Before submitting a PR, ensure:
-
Code Quality
- Code follows style guidelines (Black, isort, flake8)
- Type hints are present and correct
- No security vulnerabilities introduced
- Performance impact considered
-
Testing
- All existing tests pass
- New tests added for new functionality
- Test coverage maintained >90%
- Security tests pass
-
Documentation
- Code is properly documented
- README updated if needed
- API docs updated if needed
- CHANGELOG.md updated
-
Security
- No hardcoded secrets or passwords
- Cryptographic functions used correctly
- Input validation implemented
- Security implications considered
-
Automated Checks
- CI/CD pipeline runs all tests
- Code quality checks (linting, formatting)
- Security scans (bandit, safety)
- Dependency vulnerability checks
-
Human Review
- Code review by maintainer
- Security review for security-related changes
- Documentation review
- UX review for user-facing changes
-
Approval and Merge
- At least one maintainer approval required
- Security approval for security changes
- All checks must pass
- Squash and merge preferred
main
├── develop (integration branch)
├── feature/new-feature
├── bugfix/fix-issue
├── security/security-fix
└── release/v2.0.0
-
Feature Freeze
- No new features in release branch
- Only bug fixes and documentation
-
Testing Phase
- Comprehensive testing
- Security audit
- Performance testing
- User acceptance testing
-
Release Preparation
- Update version numbers
- Update CHANGELOG.md
- Create release notes
- Tag release
-
Deployment
- Create GitHub release
- Update documentation
- Announce release
# Input Validation
def validate_password(password: str) -> bool:
"""Validate password meets security requirements."""
if len(password) < 8:
raise ValueError("Password too short")
# Additional validation...
return True
# Error Handling - Don't leak information
try:
authenticate_user(username, password)
except AuthenticationError:
# Don't reveal whether username or password was wrong
raise AuthenticationError("Invalid credentials")
# Logging - Don't log sensitive data
logger.info(f"User {username} logged in") # ✅ OK
logger.info(f"Password: {password}") # ❌ NEVER# Use generators for large datasets
def get_all_credentials():
for credential in vault.credentials:
yield credential
# Cache expensive operations
@lru_cache(maxsize=128)
def derive_key(password: str, salt: bytes) -> bytes:
# Expensive key derivation
return pbkdf2_hmac('sha256', password.encode(), salt, 100000)
# Use async for I/O operations
async def backup_vault():
async with aiofiles.open('backup.enc', 'wb') as f:
await f.write(encrypted_data)Contributors are recognized in:
- README.md - Hall of Fame section
- CONTRIBUTORS.md - Detailed contributor list
- Release Notes - Major contributions highlighted
- GitHub Releases - Contributor mentions
| Level | Requirements | Benefits |
|---|---|---|
| Contributor | 1+ merged PR | Listed in contributors |
| Regular Contributor | 5+ merged PRs | Priority review, beta access |
| Core Contributor | 20+ PRs, security review | Commit access, roadmap input |
| Maintainer | Appointed by team | Full repository access |
- GitHub Discussions: General questions and ideas
- Discord: Real-time chat and support
- Email: security@securevault.dev (security issues)
- Twitter: @SecureVault (announcements)
- Development Guide: docs/DEVELOPMENT.md
- API Reference: docs/API.md
- Security Guide: docs/SECURITY.md
- Architecture Overview: docs/ARCHITECTURE.md
**Bug Description**
A clear description of the bug.
**Steps to Reproduce**
1. Go to '...'
2. Click on '....'
3. See error
**Expected Behavior**
What you expected to happen.
**Screenshots**
If applicable, add screenshots.
**Environment**
- OS: [e.g. Ubuntu 20.04]
- Python: [e.g. 3.9.7]
- SecureVault: [e.g. 1.2.3]
**Additional Context**
Any other context about the problem.**Feature Description**
A clear description of the feature you'd like.
**Use Case**
Describe the problem this feature would solve.
**Proposed Solution**
How you envision this feature working.
**Security Considerations**
Any security implications of this feature.
**Additional Context**
Any other context or screenshots.Thank you for contributing to SecureVault! Your contributions help make password management more secure for everyone.
Remember: Every contribution, no matter how small, makes a difference. Whether it's fixing a typo, reporting a bug, or implementing a major feature, we appreciate your effort to make SecureVault better.
Happy Coding! 🔐