Security Baseline
Access and identity
Secrets
App security
Supply chain

Security Baseline

Access and identity

Prefer least-privilege tokens and short-lived credentials
Separate duties between deploy and admin where possible

Secrets

No secrets in git, issues, logs, or build output
Store secrets in a managed secret store (or GitHub Actions secrets for early-stage)
Rotate on schedule and on incident

App security

Validate inputs; use allowlists where possible
Sanitize outputs; prevent injection and SSRF
Enforce authorization server-side

Supply chain

Pin dependencies where possible; keep updated
Add automated vulnerability scanning
Produce SBOMs for releases (recommended)

Incident Response Threat Model