API Key Handling

The golden rule

Never commit API keys to source control. Not even in private repositories. Not even “temporarily.” Not in comments. Not in test files. ZenVeil will catch this — and so will attackers.

ZenVeil API key

Where to store it

# In your shell profile (~/.zshrc or ~/.bashrc)
export ZENVEIL_API_KEY="zvk_live_your_key_here"

# Reload
source ~/.zshrc

What to never do

# NEVER hardcode in source
api_key = "zvk_live_a1b2c3d4..."   # ZenVeil will flag this as CRITICAL

# NEVER commit .env files
# Add to .gitignore:
# .env
# .env.*
# !.env.example

# NEVER log the key
print(f"Using key: {api_key}")     # Appears in CI logs

# NEVER put in URLs
# https://api.zenveil.dev/v1/scan?key=zvk_live_...  # Logged by proxies

GitHub token

Minimum required scopes

Operation	Scope
Scan public repository	None (no token needed)
Scan private repository	`repo`
Open pull requests	`repo`
Scan public repos only	`public_repo`

Use the minimum scope for your use case. A token with repo scope can read all your private repositories — don’t create one for scanning-only use cases.

Fine-grained tokens (recommended)

GitHub’s fine-grained personal access tokens let you scope access to specific repositories:

Go to github.com/settings/tokens
Generate new token → Fine-grained token
Set Repository access → Only select repositories → choose your target
Set Permissions → Contents → Read-only (for scanning)
Add Pull requests → Read and write (only if using auto-PR)

Token rotation

Rotate your GitHub token every 90 days. To rotate:

Generate a new token
Update it in your CI/CD secrets and local environment
Revoke the old token at github.com/settings/tokens

Anthropic API key

The Anthropic API key is used only for AI-powered commands (explain, fix, triage, agent). It’s optional — local scanning works without it.

export ANTHROPIC_API_KEY="sk-ant-your_key_here"

ZenVeil uses this key to call Anthropic’s API. The key is passed via the Authorization header in HTTPS requests — it’s never logged, stored, or transmitted to ZenVeil servers.

Usage limits

Monitor usage at console.anthropic.com. Set monthly spending limits to prevent unexpected charges.

Security checklist

✓ .gitignore includes .env

# .gitignore
.env
.env.*
!.env.example

ZenVeil’s secrets scanner will flag a missing .env in .gitignore as MEDIUM severity.

✓ CI secrets are masked

GitHub Actions automatically masks values of secrets in logs. GitLab allows you to mark variables as Masked. Always enable masking for API keys.

✓ Keys are rotated regularly

Set a calendar reminder to rotate API keys every 90 days. GitHub supports token expiration — use it.

✓ Old keys are revoked

When rotating, revoke the old key immediately. A valid old key is a live credential even after you stop using it.

✓ Keys are scoped minimally

Use fine-grained GitHub tokens scoped to specific repos. Don’t use personal access tokens with broad access for CI.

​The golden rule

​ZenVeil API key

​Where to store it

​What to never do

​GitHub token

​Minimum required scopes

​Fine-grained tokens (recommended)

​Token rotation

​Anthropic API key

​Usage limits

​Security checklist