Skip to content

Security: andreathar/MLcreator

Security

SECURITY.md

πŸ”’ Security - GitGuardian Shield Setup

This document explains how GitGuardian Shield (ggshield) is configured to protect the MLCreator project from accidental commits of sensitive information like API keys, passwords, and other secrets.

πŸ“‹ Overview

ggshield is a command-line tool that scans your code for secrets before you commit them. It integrates with GitGuardian's security platform to detect and prevent the accidental exposure of sensitive data.

🚨 Unity MCP Folder Analysis

Is Assets/Plugins/UnityMCP/ Redundant?

YES - This folder WAS redundant and has been cleaned up.

Status: βœ… REMOVED - Duplicate packages consolidated into Assets/Packages/

What Was Done:

The Unity MCP system had duplicate .NET packages installed in two locations:

  1. UnityMCP Plugin (Assets/Plugins/UnityMCP/) - ❌ REMOVED

    • Previously contained duplicate .NET dependencies
    • Was configured as NuGet repository path in NuGet.config
    • CLEANED UP: All duplicate packages removed

  2. Unity Package Manager (Assets/Packages/) - βœ… KEPT

    • Contains all necessary .NET assemblies
    • Single source of truth for packages
    • Managed by Unity Package Manager

Configuration Updated:

Assets/NuGet.config updated:

<!-- Before -->
<add key="repositoryPath" value="./Plugins/UnityMCP" />

<!-- After -->
<add key="repositoryPath" value="./Packages" />

Result: Future NuGet installations will use the same location as Unity Package Manager, preventing duplication.

πŸ› οΈ Quick Setup

Automated Setup (Recommended)

# Run the setup script
.\tools\ggshield-setup.ps1 -Install

# Test the installation
.\tools\ggshield-setup.ps1 -Test

# Scan the entire repository
.\tools\ggshield-setup.ps1 -Scan

Manual Setup

# 1. Install ggshield
pip install ggshield

# 2. Authenticate with GitGuardian
python -m ggshield auth login

# 3. Install pre-commit hooks
python -m ggshield install --mode local --append

πŸ” What Gets Scanned

Included Files

  • All source code files
  • Configuration files
  • Documentation
  • Scripts and build files

Excluded Files (by design)

  • Unity-specific files (.meta, .asset, .prefab, etc.)
  • Build artifacts (Library/, Temp/, Builds/)
  • Dependencies (node_modules/, .venv/)
  • IDE files (.vscode/, .idea/)
  • Binary files (images, executables, DLLs)

Custom Rules

  • Unity API keys
  • Supabase keys (anon + service)
  • Generic API keys and database passwords

πŸ›‘οΈ Pre-Commit Protection

ggshield is integrated into your pre-commit hooks. When you commit:

  1. Unity Asset Validation (existing) - Prevents corrupted Unity files
  2. Secret Scanning (ggshield) - Prevents secret exposure
  3. Commit proceeds only if both pass

What happens if secrets are found?

❌ Secret detected - commit blocked!

Details:
- File: config.json
- Line: 15
- Type: Generic API Key
- Severity: High

Fix: Remove the secret or add to .ggshield ignore patterns

πŸ§ͺ Testing Your Setup

Quick Test

# Test ggshield installation
python -m ggshield --version

# Test authentication
python -m ggshield auth status

# Test secret scanning
echo 'api_key = "sk-1234567890abcdef"' > test_file.py
python -m ggshield secret scan path test_file.py
rm test_file.py

Full Repository Scan

# Scan entire repository
python -m ggshield secret scan repo .

# Scan only staged changes
python -m ggshield secret scan pre-commit

πŸ“ Configuration

Main Configuration (.ggshield)

The configuration file controls:

  • Paths to scan (what gets checked)
  • Exclusions (what gets ignored)
  • Custom rules (additional secret patterns)
  • Output format (how results are displayed)

Unity-Specific Exclusions

Since this is a Unity project, many file types are automatically excluded:

  • .meta files (Unity metadata)
  • .asset and .prefab files (Unity assets)
  • Library/ directory (build artifacts)
  • Temp/ and Builds/ directories

🚨 Handling False Positives

Sometimes ggshield flags legitimate test data or example code:

Option 1: Add to .ggshield exclusions

exclude:
  - "test/fixtures/sample-keys.json"
  - "**/docs/examples/**"

Option 2: Use inline comments

// ggshield:ignore
string testApiKey = "sk-test123456789";

Option 3: Environment-specific files

Add test secrets to .gitignore and use environment variables instead.

πŸ”§ Troubleshooting

"ggshield command not found"

# Install ggshield
pip install ggshield

# Or run via Python module
python -m ggshield [command]

Authentication issues

# Re-authenticate
python -m ggshield auth login

# Check status
python -m ggshield auth status

Pre-commit hook not working

# Reinstall hooks
python -m ggshield install --mode local --force

# Check hook file
cat .git/hooks/pre-commit

Too many false positives

Edit .ggshield to add more exclusions or adjust entropy threshold.

πŸ“ž Getting Help

🎯 Best Practices

  1. Never commit real secrets - use environment variables
  2. Test your setup regularly with the test script
  3. Review flagged items carefully before ignoring
  4. Keep ggshield updated for new secret patterns
  5. Use .env files for local development (add to .gitignore)

πŸ“Š Security Metrics

Track these to measure effectiveness:

  • Secrets prevented from being committed
  • False positive rate
  • Scan performance (time to complete)
  • Hook execution success rate

Remember: Security is everyone's responsibility. ggshield helps catch mistakes, but the best security comes from secure coding practices.

There aren’t any published security advisories