Windsurf AI安全基础知识

v20260423

windsurf-security-basics

该技能指导用户如何在Windsurf IDE中应用安全最佳实践。它教用户如何配置排除文件（如.codeiumignore），防止敏感数据和密钥泄露到AI索引中，管理遥测数据，从而确保工作空间的隔离性和合规性。

安全人工智能开发隐私合规代码

获取技能

448 次下载

概览

Windsurf Security Basics

Overview

Security best practices for Windsurf AI IDE: controlling what code Cascade can see, preventing secrets from leaking into AI context, managing telemetry, and configuring workspace isolation for regulated environments.

Prerequisites

Windsurf installed
Understanding of Codeium's data processing model
Repository with identified sensitive files

Instructions

Step 1: Exclude Secrets from AI Indexing

Create .codeiumignore at project root (gitignore syntax):

# .codeiumignore — files Codeium/Windsurf will NEVER index or read

# Secrets and credentials
.env
.env.*
.env.local
credentials.json
serviceAccountKey.json
*.pem
*.key
*.p12
*.pfx

# Cloud provider configs
.aws/
.gcloud/
.azure/

# Infrastructure secrets
terraform.tfstate
terraform.tfstate.backup
*.tfvars
vault-config.*

# Customer data
data/customers/
exports/
backups/
*.sql.gz

Default exclusions (automatic): Files in .gitignore, node_modules/, hidden directories (. prefix).

Enterprise: Place a global .codeiumignore at ~/.codeium/ for org-wide exclusions.

Step 2: Disable Telemetry (If Required)

// Windsurf Settings (settings.json)
{
  "codeium.enableTelemetry": false,
  "codeium.enableSnippetTelemetry": false,
  "telemetry.telemetryLevel": "off"
}

Step 3: Configure AI Autocomplete Exclusions

Disable Supercomplete for file types that commonly contain secrets:

{
  "codeium.autocomplete.languages": {
    "plaintext": false,
    "env": false,
    "dotenv": false,
    "properties": false,
    "ini": false
  }
}

Step 4: Create Security-Focused .windsurfrules

<!-- .windsurfrules - security section -->

## Security Requirements
- Never suggest hardcoded secrets, API keys, or passwords in code
- Always use environment variables via process.env for secrets
- Never log PII (email, phone, SSN, credit card numbers)
- Use parameterized queries for all database operations
- Never suggest wildcard CORS origins in production code
- All user input must be validated before processing
- Use constant-time comparison for secret/token validation

Step 5: Audit AI Workspace Access

#!/bin/bash
set -euo pipefail
echo "=== Windsurf Security Audit ==="

# Check if .codeiumignore exists
if [ ! -f .codeiumignore ]; then
  echo "WARNING: No .codeiumignore — AI can index all non-gitignored files"
fi

# Check for secrets that AI could index
echo "--- Potentially exposed secret files ---"
find . -type f \
  -not -path '*/node_modules/*' \
  -not -path '*/.git/*' \
  \( -name '*.env*' -o -name '*.key' -o -name '*.pem' \
  -o -name 'credentials*' -o -name '*secret*' \
  -o -name '*.tfvars' -o -name 'serviceAccount*' \) \
  2>/dev/null | head -20

# Check if found files are in .codeiumignore
echo "--- Verify all above files are excluded ---"

Step 6: Windsurf Data Processing Model

# What Windsurf/Codeium processes:
data_processing:
  indexed_locally:
    - File contents for Supercomplete context
    - Codebase structure for Cascade awareness
    stored: "Local machine only (not sent to cloud for indexing)"

  sent_to_cloud:
    - Cascade prompts (for AI model inference)
    - Code snippets around cursor (for Supercomplete)
    stored: "Zero-data retention for paid plans"

  never_processed:
    - Files in .codeiumignore
    - Files in .gitignore (by default)
    - Files in node_modules/

  compliance:
    - SOC 2 Type II certified
    - FedRAMP High accredited
    - HIPAA BAA available (Enterprise)
    - Zero-data retention on paid plans

Security Checklist

.codeiumignore exists with secret file patterns
.env files excluded from AI indexing
.windsurfrules includes security coding standards
Telemetry disabled (if required by policy)
Autocomplete disabled for secret-containing file types
No competing AI extensions installed (data exposure risk)
Team members trained on "never paste secrets into Cascade chat"
Enterprise: SSO configured, personal accounts blocked

Error Handling

Security Issue	Detection	Mitigation
Secret in Cascade suggestion	Appears in AI output	Add source file to `.codeiumignore`, rotate secret
AI indexing .env files	Check `.codeiumignore`	Add `.env*` pattern
Telemetry sending code	Policy audit	Disable all telemetry settings
Dev pastes secret in chat	Cannot detect after the fact	Training + enterprise data retention = 0

Examples

Enterprise .codeiumignore

# ~/.codeium/.codeiumignore (global, all workspaces)
*.pem
*.key
*.p12
*.env*
**/secrets/**
**/credentials/**
terraform.tfstate*
*.tfvars

Quick Privacy Check

# Verify critical files are excluded
echo ".env" | while read f; do
  [ -f "$f" ] && grep -q "\.env" .codeiumignore 2>/dev/null && echo "$f: PROTECTED" || echo "$f: EXPOSED"
done

Resources

Next Steps

For production deployment, see windsurf-prod-checklist.

信息

Category 编程开发

Name windsurf-security-basics

版本 v20260423

大小 5.75KB

Source jeremylongshore/claude-code-plugins-plus-skills

更新时间 2026-04-28