From 48707fe7596387ff85ca2c352a73bbbbf8386d17 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Fri, 19 Jun 2026 09:25:12 +0000 Subject: [PATCH] netlify: document deploy-preview security for forked pull requests A security review noted that Netlify builds deploy previews for pull requests from public forks automatically, which runs contributor code (next.config.js, package.json scripts and bundled JavaScript) on Netlify's build infrastructure before any maintainer review (CWE-829). The site is already configured so those builds only ever receive public values: the sensitive-variable policy withholds sensitive variables from untrusted deploys, and no secret variable is scoped to the deploy-preview context. This records that posture in netlify.toml and adds an explicit [context.deploy-preview.environment] block, so future changes do not inadvertently expose secrets to fork previews. Signed-off-by: Richard Wall --- netlify.toml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/netlify.toml b/netlify.toml index 8eb0c500a78..73b3f9f916f 100644 --- a/netlify.toml +++ b/netlify.toml @@ -13,6 +13,16 @@ NEXT_PUBLIC_DOCS_SEARCH_INDEX_NAME = "cert-manager" NEXT_PUBLIC_DOMAIN_URL = "https://cert-manager.io" +# Security (CWE-829): deploy previews for pull requests from public forks run +# untrusted code automatically, before any review. Do NOT add secrets to this +# block or to [build.environment] — they would be handed to fork builds. Secrets +# belong in [context.production.environment] or a production-scoped Netlify UI +# variable, which the sensitive-variable policy keeps from untrusted deploys: +# https://docs.netlify.com/build/environment-variables/get-started/#sensitive-variable-policy +# This block is intentionally empty: deploy previews inherit the public values +# from [build.environment]; it exists only to make the "no secrets" rule visible. +[context.deploy-preview.environment] + # Prevent search engines from indexing preview sites for branch deploys. See # - https://docs.netlify.com/routing/headers/#custom-headers-for-different-branch-or-deploy-contexts # - https://developers.google.com/search/docs/crawling-indexing/block-indexing