gruff-php is a static-analysis tool. It scans source trees and may inspect PHP, YAML, JSON, XML, lockfiles, environment-like text, and generated reports. Treat analyzer output as sensitive when scanning private code.

Do not open a public issue for a vulnerability that could expose secrets, execute commands, bypass path boundaries, corrupt files, or leak private source content.

Preferred reporting path for the public GitHub repository:

1. Use GitHub private vulnerability reporting for https://github.com/blundergoat/gruff-php or a private security advisory.
2. Include the affected version or commit.
3. Include a minimal reproduction.
4. State whether the issue affects normal local use, CI use, dashboard use, or report generation.

If private reporting is unavailable in the repository UI, open a public issue that asks for a private security contact and do not include exploit details, private source, or secret values.

Security-sensitive areas include:

• Dashboard HTTP request handling.
• Git diff and base-ref handling.
• Baseline and trend-history file writes.
• Infection execution via --infection-run.
• Shell/process argument construction.
• HTML, Markdown, SARIF, GitHub annotation, and JSON report escaping.
• Sensitive-data detection and redaction.
• Path discovery and ignored-path handling.

sensitive-data.* findings are redacted, but reports may still reveal file paths, line numbers, rule ids, and redacted previews. Store reports with the same care as source-code review artifacts.

If gruff reports a real secret:

1. Rotate or revoke the secret first.
2. Remove it from source history if required by your incident process.
3. Add a baseline or allowlist only after confirming the value is not live.

Do not use allowlists.secretPreviews to hide active credentials.