Security Checklist

This document provides pre-deployment and post-deployment checklists, secret management policies, key rotation schedules, and vulnerability scanning requirements for the Lithosphere network.

Pre-Deployment Checklist

Complete all items before deploying to any environment:

• All CI checks passing

• Security scan (Slither) clean -- no high or critical findings

• Container scan (Trivy) clean -- no critical CVEs

• SBOM generated and attested

• Artifacts signed with Cosign

• Provenance attestation generated

• Required approvals obtained

• Deployment window confirmed

• Rollback plan documented

• On-call team notified

Post-Deployment Checklist

Verify all items after deployment completes:

• Health checks passing

• Metrics baseline established

• Error rates normal

• Latency within SLA

• Smoke tests passing

• Status page updated

• Change record closed

Secret Management Policies

All secrets must be stored in Vault. The following practices are strictly prohibited:

• Hardcoding secrets in source code

• Storing secrets in plaintext configuration files

• Committing secrets to version control

• Sharing secrets via unencrypted channels (email, chat)

• Using the same secret across multiple environments

• Storing secrets in environment variables on CI runners without masking

Key Rotation Schedule

Emergency Rotation SLA

When a secret is compromised, follow these response timelines:

Vulnerability Scanning Schedule