If you discover a security vulnerability in Cadence, please do not open a public GitHub issue. Instead, please report it responsibly by contacting us directly.
Email: hey@codemeapixel.dev
GitHub: Open a private security advisory on this repository (if available)
Social Media: @CodeMeAPixel on Twitter/X for urgent contact
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact
- Any proposed fixes (optional)
We will:
- Acknowledge receipt of your report within 48 hours
- Investigate and validate the issue
- Work on a fix and release a patch
- Credit you in the security advisory (unless you prefer anonymity)
- Critical vulnerabilities will trigger immediate patch releases
- Non-critical security issues will be addressed in regular releases
- Security advisories will be published when fixes are available
| Version | Status | Support |
|---|---|---|
| v0.2.x | Current | Full support |
| v0.1.x | Legacy | Security fixes only |
| < v0.1 | EOL | Not supported |
When using Cadence:
- Keep your installation updated to the latest version
- Review analysis output carefully before taking action
- Use configuration files securely (don't commit secrets)
- Run in isolated environments when analyzing untrusted repositories
Cadence uses the following key dependencies:
go-git/v5- Git operationsPuerkitoBio/goquery- HTML parsingspf13/cobra- CLI frameworkopenai-go- Optional AI analysis
We monitor these dependencies for security issues and update promptly when vulnerabilities are found.
For security-related questions (not vulnerability reports), please contact hey@codemeapixel.dev.