Please report security issues privately before opening a public issue.
Use GitHub private vulnerability reporting if it is enabled for the repository. If it is not enabled yet, contact the maintainer through the public profile and request a private disclosure channel.
In scope:
- Hardcoded credential risks.
- Unsafe handling of CI/CD secrets.
- Build-time behavior that can leak tokens or private repository metadata.
- Dependency or plugin configuration that introduces a security regression.
Out of scope:
- Findings in third-party tools that this project only invokes.
- Requests to scan private systems.
- Reports without enough reproduction detail.
- Do not request secrets in issue threads.
- Reproduce reports with throwaway tokens and example repositories.
- Rotate any credential immediately if it was accidentally committed.