coderabbit-security-basics

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

CodeRabbit Security Basics

CodeRabbit 安全基础

Overview

概述

Security best practices for CodeRabbit API keys, tokens, and access control.

针对CodeRabbit API密钥、令牌及访问控制的安全最佳实践。

Prerequisites

前提条件

CodeRabbit SDK installed
Understanding of environment variables
Access to CodeRabbit dashboard

已安装CodeRabbit SDK
了解环境变量相关知识
拥有CodeRabbit控制台访问权限

Instructions

操作步骤

Step 1: Configure Environment Variables

步骤1：配置环境变量

bash

undefined

bash

undefined

.env (NEVER commit to git)

.env（切勿提交至git）

CODERABBIT_API_KEY=sk_live_*** CODERABBIT_SECRET=***

.gitignore

.env .env.local .env.*.local

undefined

.env .env.local .env.*.local

undefined

Step 2: Implement Secret Rotation

步骤2：实施密钥轮换

bash

undefined

bash

undefined

1. Generate new key in CodeRabbit dashboard

1. 在CodeRabbit控制台生成新密钥

2. Update environment variable

2. 更新环境变量

export CODERABBIT_API_KEY="new_key_here"

3. Verify new key works

3. 验证新密钥是否可用

curl -H "Authorization: Bearer ${CODERABBIT_API_KEY}"
https://api.coderabbit.com/health

4. Revoke old key in dashboard

4. 在控制台吊销旧密钥

undefined

undefined

Step 3: Apply Least Privilege

步骤3：应用最小权限原则

Environment	Recommended Scopes
Development	`read:*`
Staging	`read:*, write:limited`
Production	`Only required scopes`

环境	推荐权限范围
开发环境	`read:*`
预发布环境	`read:*, write:limited`
生产环境	`仅必要权限范围`

Output

输出结果

Secure API key storage
Environment-specific access controls
Audit logging enabled

安全的API密钥存储
基于环境的访问控制
已启用审计日志

Error Handling

错误处理

Security Issue	Detection	Mitigation
Exposed API key	Git scanning	Rotate immediately
Excessive scopes	Audit logs	Reduce permissions
Missing rotation	Key age check	Schedule rotation

安全问题	检测方式	缓解措施
API密钥泄露	Git扫描	立即轮换密钥
权限范围过大	审计日志	缩减权限
未进行密钥轮换	密钥时长检查	安排定期轮换

Examples

示例

Service Account Pattern

服务账户模式

typescript

const clients = {
  reader: new CodeRabbitClient({
    apiKey: process.env.CODERABBIT_READ_KEY,
  }),
  writer: new CodeRabbitClient({
    apiKey: process.env.CODERABBIT_WRITE_KEY,
  }),
};

typescript

const clients = {
  reader: new CodeRabbitClient({
    apiKey: process.env.CODERABBIT_READ_KEY,
  }),
  writer: new CodeRabbitClient({
    apiKey: process.env.CODERABBIT_WRITE_KEY,
  }),
};

Webhook Signature Verification

Webhook签名验证

typescript

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

typescript

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Security Checklist

安全检查清单

API keys in environment variables
```
.env
```
files in
```
.gitignore
```
Different keys for dev/staging/prod
Minimal scopes per environment
Webhook signatures validated
Audit logging enabled

API密钥存储在环境变量中
```
.env
```
文件已添加至
```
.gitignore
```
开发/预发布/生产环境使用不同密钥
每个环境配置最小必要权限
已验证Webhook签名
已启用审计日志

Audit Logging

审计日志

typescript

interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to CodeRabbit analytics
  await coderabbitClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'coderabbit.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});

typescript

interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // 记录至CodeRabbit分析平台
  await coderabbitClient.track('audit', log);

  // 同时本地记录以满足合规要求
  console.log('[AUDIT]', JSON.stringify(log));
}

// 使用示例
await auditLog({
  action: 'coderabbit.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});

Resources

参考资源

Next Steps

后续步骤

For production deployment, see

coderabbit-prod-checklist

如需生产环境部署，请查看

coderabbit-prod-checklist

。