home / skills / jeremylongshore / claude-code-plugins-plus-skills / coderabbit-security-basics

coderabbit-security-basics skill

safe

/plugins/saas-packs/coderabbit-pack/skills/coderabbit-security-basics

This skill helps secure CodeRabbit integration by managing API keys, enforcing least privilege, and auditing access across environments.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill coderabbit-security-basics

Review the files below or copy the command above to add this skill to your agents.

Files (1)

SKILL.md

3.5 KB

---
name: coderabbit-security-basics
description: |
  Apply CodeRabbit security best practices for secrets and access control.
  Use when securing API keys, implementing least privilege access,
  or auditing CodeRabbit security configuration.
  Trigger with phrases like "coderabbit security", "coderabbit secrets",
  "secure coderabbit", "coderabbit API key security".
allowed-tools: Read, Write, Grep
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# CodeRabbit Security Basics

## Overview
Security best practices for CodeRabbit API keys, tokens, and access control.

## Prerequisites
- CodeRabbit SDK installed
- Understanding of environment variables
- Access to CodeRabbit dashboard

## Instructions

### Step 1: Configure Environment Variables
```bash
# .env (NEVER commit to git)
CODERABBIT_API_KEY=sk_live_***
CODERABBIT_SECRET=***

# .gitignore
.env
.env.local
.env.*.local
```

### Step 2: Implement Secret Rotation
```bash
# 1. Generate new key in CodeRabbit dashboard
# 2. Update environment variable
export CODERABBIT_API_KEY="new_key_here"

# 3. Verify new key works
curl -H "Authorization: Bearer ${CODERABBIT_API_KEY}" \
  https://api.coderabbit.com/health

# 4. Revoke old key in dashboard
```

### Step 3: Apply Least Privilege
| Environment | Recommended Scopes |
|-------------|-------------------|
| Development | `read:*` |
| Staging | `read:*, write:limited` |
| Production | `Only required scopes` |

## Output
- Secure API key storage
- Environment-specific access controls
- Audit logging enabled

## Error Handling
| Security Issue | Detection | Mitigation |
|----------------|-----------|------------|
| Exposed API key | Git scanning | Rotate immediately |
| Excessive scopes | Audit logs | Reduce permissions |
| Missing rotation | Key age check | Schedule rotation |

## Examples

### Service Account Pattern
```typescript
const clients = {
  reader: new CodeRabbitClient({
    apiKey: process.env.CODERABBIT_READ_KEY,
  }),
  writer: new CodeRabbitClient({
    apiKey: process.env.CODERABBIT_WRITE_KEY,
  }),
};
```

### Webhook Signature Verification
```typescript
import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string, signature: string, secret: string
): boolean {
  const expected = crypto.createHmac('sha256', secret).update(payload).digest('hex');
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}
```

### Security Checklist
- [ ] API keys in environment variables
- [ ] `.env` files in `.gitignore`
- [ ] Different keys for dev/staging/prod
- [ ] Minimal scopes per environment
- [ ] Webhook signatures validated
- [ ] Audit logging enabled

### Audit Logging
```typescript
interface AuditEntry {
  timestamp: Date;
  action: string;
  userId: string;
  resource: string;
  result: 'success' | 'failure';
  metadata?: Record<string, any>;
}

async function auditLog(entry: Omit<AuditEntry, 'timestamp'>): Promise<void> {
  const log: AuditEntry = { ...entry, timestamp: new Date() };

  // Log to CodeRabbit analytics
  await coderabbitClient.track('audit', log);

  // Also log locally for compliance
  console.log('[AUDIT]', JSON.stringify(log));
}

// Usage
await auditLog({
  action: 'coderabbit.api.call',
  userId: currentUser.id,
  resource: '/v1/resource',
  result: 'success',
});
```

## Resources
- [CodeRabbit Security Guide](https://docs.coderabbit.com/security)
- [CodeRabbit API Scopes](https://docs.coderabbit.com/scopes)

## Next Steps
For production deployment, see `coderabbit-prod-checklist`.

Overview

This skill applies CodeRabbit security best practices for API keys, tokens, and access control. It guides environment variable handling, secret rotation, least-privilege configuration, and basic audit logging. Use it to quickly harden integrations that call CodeRabbit services.

How this skill works

The skill inspects common secret storage patterns and recommends secure alternatives such as environment variables and ignored .env files. It walks through a rotation procedure, shows how to grant minimal scopes per environment, and demonstrates webhook signature verification and audit logging patterns. Practical code snippets illustrate service account usage and audit entry recording.

When to use it

When storing or deploying CodeRabbit API keys in development, staging, or production
When implementing least-privilege access for different environments
During security audits to find exposed keys or excessive scopes
When adding webhook handlers that must verify signatures
When establishing audit logging for CodeRabbit-related actions

Best practices

Never commit .env files or secrets to version control; add them to .gitignore
Store keys in environment variables or a secrets manager and use different keys per environment
Rotate keys regularly and verify the new key before revoking the old one
Grant the minimal scopes required per environment (read only for dev, limited write for staging, minimal necessary in production)
Validate webhook signatures using timing-safe comparisons and a shared secret
Record audit entries for sensitive actions and persist both remote and local logs for compliance

Example use cases

Configuring separate reader and writer service accounts for a microservice using CodeRabbit
Rotating an API key after a suspected exposure and validating new credentials via a health endpoint
Running a security audit to detect keys in the repository, then reducing scopes and rotating affected keys
Implementing webhook processing that verifies HMAC signatures before accepting events
Adding an audit log wrapper around CodeRabbit API calls to track user actions and outcomes

FAQ

How often should I rotate CodeRabbit API keys?

Rotate keys on a regular schedule and immediately after any suspected exposure. Align rotation frequency with your risk profile and compliance needs.

What scopes should production keys have?

Give production keys only the scopes strictly required for the task. Avoid broad read:* or write:* scopes in production unless absolutely necessary.