X402 Security and Compliance

By X402 Team | Last Updated: February 2026

Direct Answer

Detailed Explanation

Security Fundamentals

Access Control

Repository-level permissions:

## Permission Levels


Admin

Full repository access
Settings management
Permission management
Delete repository


Write

Create and edit content
Push to branches
Cannot change settings


Read

View content
Clone repository
Cannot push changes


No Access

Cannot see repository
Useful for confidential projects

Branch protection:

# Branch protection rules for main


Required:

Pull request reviews (minimum 2)
Status checks pass
Conversation resolution
Up-to-date branch
Code owner approval


Restrictions:

No direct pushes to main
No force pushes
No deletions
Require linear history

Team-based access:

## GitHub Teams Structure


@docs-admins

Permissions: Admin
Members: Documentation leadership
Access: All repositories


@docs-writers

Permissions: Write
Members: Technical writers
Access: Content repositories only


@docs-reviewers

Permissions: Read + Review
Members: SMEs, stakeholders
Access: Review-only via CODEOWNERS


@docs-viewers

Permissions: Read
Members: General staff
Access: Published documentation

Secret Prevention

Pre-commit hooks:

#!/bin/bash
.git/hooks/pre-commit


Check for common secrets patterns
secrets_patterns=(
  "api[_-]?key"
  "password\s="
  "secret\s="
  "token\s="
  "private[_-]?key"
  "aws[_-]?access"
  "-----BEGIN.PRIVATE KEY-----"
)

for pattern in "${secrets_patterns[@]}"; do
  if git diff --cached | grep -iE "$pattern"; then
    echo "❌ Potential secret detected: $pattern"
    echo "Please remove secrets before committing"
    exit 1
  fi
done

echo "✓ No secrets detected"

Git-secrets tool:

# Install git-secrets
brew install git-secrets  # macOS
or
apt-get install git-secrets  # Linux


Initialize in repository
cd x402-content
git secrets --install

Add patterns
git secrets --add 'password\s='
git secrets --add 'api[_-]?key\s='
git secrets --add '[Aa]uth[_-]?token\s='

Scan repository
git secrets --scan
git secrets --scan-history

# .github/workflows/secret-scan.yml
name: Secret Scan


on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:

uses: actions/checkout@v3

        with:
          fetch-depth: 0



name: TruffleHog Scan

        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: main
          head: HEAD


name: GitLeaks Scan

        uses: gitleaks/gitleaks-action@v2

# Generate GPG key
gpg --full-generate-key


List keys
gpg --list-secret-keys --keyid-format LONG

Export public key
gpg --armor --export <KEY_ID>

Configure Git
git config --global user.signingkey <KEY_ID>
git config --global commit.gpgsign true

Verify signed commits
git log --show-signature

# Branch protection: Require signed commits
Settings → Branches → Branch protection rules
☑ Require signed commits

# Generate audit report
git log --all --pretty=format:"%h|%an|%ae|%ad|%s" --date=iso > audit-log.csv


Changes to specific files
git log --follow --all -- internal/policies/privacy-policy.md

Changes by date range
git log --since="2024-01-01" --until="2024-12-31" --pretty=format:"%ad %an: %s"

Who changed what
git blame internal/policies/data-retention.md

#!/bin/bash
generate-compliance-report.sh


echo "=== Compliance Audit Report ==="
echo "Generated: $(date)"
echo "Repository: $(git config --get remote.origin.url)"
echo

echo "=== Document Changes (Last 90 Days) ==="
git log --since="90 days ago" --name-only --pretty=format:"%ad %an" --date=short | \
  grep -E "\.md$" | sort | uniq -c

echo
echo "=== Contributors ==="
git log --since="90 days ago" --format="%an <%ae>" | sort -u

echo
echo "=== Policy Updates ==="
git log --since="90 days ago" --grep="policy" --pretty=format:"%ad %s" --date=short

echo
echo "=== Approval History ==="
Extract PR merge commits
git log --since="90 days ago" --merges --pretty=format:"%ad %s" --date=short

# Data Retention Policy


Active Content

Duration: Indefinite
Location: Main branch
Backup: Multiple remotes


Archived Content

Duration: 7 years
Location: Archive branch
Review: Annual


Deprecated Content

Duration: 3 years after deprecation
Location: Deprecated branch
Deletion: After retention period


Implementation

Tag content with retention metadata
Automated archival process
Compliance review before deletion

#!/bin/bash
archive-old-content.sh


Find batches older than 2 years with no recent changes
cutoff_date=$(date -d "2 years ago" +%Y-%m-%d)

for batch in batch-/; do
  last_modified=$(git log -1 --format=%ci -- "$batch" | cut -d' ' -f1)

if [[ "$last_modified" < "$cutoff_date" ]]; then
    echo "Archiving $batch (last modified: $last_modified)"

# Move to archive branch
    git checkout -b archive-temp
    git mv "$batch" "archive/$batch"
    git commit -m "Archive $batch (inactive since $last_modified)"
    git push origin archive-temp:archive

# Remove from main
    git checkout main
    git rm -r "$batch"
    git commit -m "Remove archived batch: $batch"
  fi
done

GDPR Compliance

Right to be forgotten:

#!/bin/bash
remove-personal-data.sh


email=$1
name=$2

if [ -z "$email" ]; then
  echo "Usage: $0 <email> [name]"
  exit 1
fi

echo "Removing personal data for: $email"

Use git-filter-repo to rewrite history
git filter-repo --mailmap <(echo "$email <$email> Redacted User <redacted@example.com>")

if [ -n "$name" ]; then
  git filter-repo --name-callback "return b'Redacted User' if name == b'$name' else name"
fi

echo "History rewritten. Force push required:"
echo "git push origin --force --all"
echo "WARNING: This is a destructive operation!"

Data minimization:

## PII Handling in Documentation


Prohibited

❌ Real customer names
❌ Email addresses
❌ Phone numbers
❌ Physical addresses
❌ Social security numbers
❌ Payment information


Allowed with Anonymization

✓ "Customer A" instead of "Acme Corp"
✓ "user@example.com" in examples
✓ "555-0123" for phone examples
✓ Sanitized logs and data


Enforcement

Pre-commit hooks scan for email patterns
Manual review for customer references
Annual audit of content

SOC 2 Compliance

Type II controls:

## SOC 2 Controls for X402


CC6.1: Logical Access Controls

✓ Multi-factor authentication required
✓ Role-based access control
✓ Least privilege principle
✓ Regular access reviews


CC6.2: Authentication

✓ SSO integration (SAML)
✓ Strong password requirements
✓ Session timeout policies
✓ Failed login monitoring


CC6.3: Authorization

✓ CODEOWNERS enforcement
✓ Branch protection rules
✓ PR approval requirements
✓ Segregation of duties


CC7.2: System Monitoring

✓ Audit log retention (7 years)
✓ Change tracking (Git history)
✓ Anomaly detection
✓ Security incident logging


CC7.3: Incident Response

✓ Incident response plan
✓ Security team contacts
✓ Escalation procedures
✓ Post-incident review

Audit evidence collection:

#!/bin/bash
collect-soc2-evidence.sh


evidence_dir="soc2-evidence-$(date +%Y-%m-%d)"
mkdir -p "$evidence_dir"

Access control evidence
echo "Collecting access control evidence..."
gh api /orgs/enterprise/teams -q '.[].name' > "$evidence_dir/teams.txt"
gh api /repos/enterprise/docs/collaborators -q '.[].login' > "$evidence_dir/collaborators.txt"

Change management evidence
echo "Collecting change management evidence..."
git log --since="90 days ago" --pretty=format:"%H|%an|%ae|%ad|%s" > "$evidence_dir/changes.csv"

Branch protection evidence
echo "Collecting branch protection evidence..."
gh api /repos/enterprise/docs/branches/main/protection > "$evidence_dir/branch-protection.json"

Review approval evidence
echo "Collecting review evidence..."
gh pr list --state merged --limit 100 --json number,title,reviews > "$evidence_dir/pr-reviews.json"

echo "Evidence collected in $evidence_dir/"

Security Best Practices

Secure Configuration

.gitignore for sensitive files:

# Secrets and credentials
.env
.env.local
.key
.pem
credentials.json
secrets.yml


Configuration with secrets
config/production.yml
config/secrets.yml

Temporary files that might contain sensitive data
.log
.tmp
.DS_Store

IDE files that might contain paths
.vscode/settings.json
.idea/workspace.xml

Environment variables:

# Never commit these - use environment variables
export GITHUB_TOKEN="ghp_xxxxxxxxxxxx"
export DEPLOY_KEY="ssh-rsa AAAAB3..."


Reference in scripts
curl -H "Authorization: token $GITHUB_TOKEN" \
  https://api.github.com/repos/org/repo

Vulnerability Management

Dependency scanning:

# .github/workflows/dependency-scan.yml
name: Dependency Scan


on:
  schedule:

cron: '0 0   0'  # Weekly

  push:
    paths:

'package.json'
'Gemfile'


jobs:
  scan:
    runs-on: ubuntu-latest
    steps:

uses: actions/checkout@v3



name: Run Snyk

        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}


name: GitHub Security Scan

        uses: github/codeql-action/analyze@v2

Update policy:

## Dependency Update Policy


Critical Vulnerabilities

Timeline: 24 hours
Process: Immediate patch
Testing: Expedited review
Approval: Security team


High Vulnerabilities

Timeline: 7 days
Process: Scheduled patch
Testing: Standard review
Approval: Team lead


Medium/Low Vulnerabilities

Timeline: 30 days
Process: Regular maintenance
Testing: Full test suite
Approval: Normal process

Incident Response

Security incident workflow:

## Security Incident Response


Detection

Automated alerts (GitHub Advanced Security)
User reports
Security scan findings
Audit log anomalies


Initial Response (within 1 hour)

Assess severity
Contain threat
Notify security team
Document incident


Investigation

Identify affected systems/data
Determine root cause
Assess impact
Collect evidence


Remediation

Remove threat
Patch vulnerability
Rotate credentials if compromised
Update access controls


Recovery

Restore normal operations
Monitor for recurrence
Communicate to stakeholders
Document lessons learned


Post-Incident

Root cause analysis
Update procedures
Security training
Compliance reporting

Incident response script:

#!/bin/bash
incident-response.sh


incident_id=$1
severity=$2  # critical, high, medium, low

if [ -z "$incident_id" ]; then
  echo "Usage: $0 <incident-id> <severity>"
  exit 1
fi

incident_dir="incidents/$incident_id"
mkdir -p "$incident_dir"

Collect evidence
echo "Collecting incident evidence..."
git log --all --since="7 days ago" > "$incident_dir/recent-commits.log"
git reflog > "$incident_dir/reflog.log"
cp .git/config "$incident_dir/git-config.txt"

Check for secrets in recent commits
echo "Scanning for secrets..."
git secrets --scan > "$incident_dir/secret-scan.log" 2>&1

List all contributors
git log --all --format="%an <%ae>" | sort -u > "$incident_dir/contributors.txt"

If critical, lock repository
if [ "$severity" = "critical" ]; then
  echo "CRITICAL: Consider locking repository"
  echo "gh repo edit --enable-security-and-analysis"
fi

echo "Incident evidence collected in $incident_dir/"
echo "Next steps:"
echo "1. Review evidence"
echo "2. Contain threat"
echo "3. Notify security team"
echo "4. Follow incident response plan"

Compliance Frameworks

ISO 27001

Information security controls:

## ISO 27001 Controls for X402


A.9: Access Control

Access control policy implemented
User access management via Git
User access reviews (quarterly)
Removal of access rights (automated)


A.12: Operations Security

Documented operating procedures
Change management via Git
Malware protection (scanning)
Backup procedures (multiple remotes)


A.13: Communications Security

Network controls (HTTPS only)
Information transfer (encrypted Git)
Electronic messaging (commit signing)


A.14: System Acquisition

Security requirements analysis
Application security (markdown only)
Development security (CI/CD checks)


A.18: Compliance

Legal requirements identification
IP rights protection
Privacy protection
Records management (Git history)

HIPAA (Healthcare)

Protected Health Information (PHI):

## HIPAA Compliance for Healthcare Documentation


PHI Handling

❌ Never include in X402:
Patient names
Medical record numbers
Treatment details
Billing information
Any of 18 HIPAA identifiers


Allowed Content

✓ De-identified examples
✓ Synthetic data
✓ Procedural documentation
✓ System configuration guides


Technical Safeguards

Encryption at rest (Git hosting)
Encryption in transit (HTTPS)
Access controls (GitHub teams)
Audit trails (Git history)
Integrity controls (commit signing)


Administrative Safeguards

Security training (annual)
Access reviews (quarterly)
Incident response plan
Business associate agreements

FISMA (Government)

Federal security requirements:

## FISMA Compliance


Categorization

System: Documentation Repository
Impact Level: Moderate
Confidentiality: Moderate
Integrity: Moderate
Availability: Low


Required Controls (NIST 800-53)

AC-2: Account Management ✓
AC-3: Access Enforcement ✓
AU-2: Audit Events ✓
AU-3: Audit Content ✓
CM-2: Baseline Configuration ✓
IA-2: Identification/Authentication ✓
SC-8: Transmission Confidentiality ✓
SC-13: Cryptographic Protection ✓


Continuous Monitoring

Daily: Automated security scans
Weekly: Access reviews
Monthly: Compliance reporting
Quarterly: Security assessments
Annually: Full authorization review

Security Checklist

Pre-deployment security review:

## Security Checklist


Access Control

[ ] Appropriate permissions set
[ ] CODEOWNERS configured
[ ] Branch protection enabled
[ ] 2FA required for all users
[ ] SSO integrated


Secret Management

[ ] .gitignore configured
[ ] Git-secrets installed
[ ] Pre-commit hooks active
[ ] No secrets in history
[ ] Environment variables documented


Audit and Compliance

[ ] Audit logging enabled
[ ] Retention policy defined
[ ] Compliance requirements identified
[ ] Incident response plan exists
[ ] Contact information current


Code Security

[ ] Dependency scanning enabled
[ ] Automated security checks
[ ] Signed commits required
[ ] No vulnerable dependencies
[ ] Security training completed


Data Protection

[ ] No PII in repository
[ ] Data classification applied
[ ] Encryption at rest/transit
[ ] Backup procedures tested
[ ] Recovery plan documented

Related Questions

• What is X402?
• X402 for enterprise
• X402 best practices
• X402 quality assurance

Quality Standards

• [x] Meets brand voice requirements
• [x] Follows formatting standards
• [x] Includes all required elements
• [x] Ready for production

Start Building with X402

Get our free X402 Implementation Starter Kit with ready-to-use templates, code examples, and best practices.

What is included:

• Quick-start implementation templates
• API integration examples
• Configuration best practices guide

Get the Free Starter Kit