We appreciate your efforts to responsibly disclose vulnerabilities and help us improve the security of this project.
To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" tab.
We will send a response indicating the next steps in handling your report. After the initial reply we will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Report security bugs in third-party modules to the person or team maintaining the module.
This repository is a community-health and automation control plane; it is not a versioned published package. Security updates apply to the current state of main.
| Branch | Supported |
|---|---|
main |
✅ |
- CodeQL — PR + weekly vulnerability analysis
- Dependency Review — blocks PRs introducing known-vulnerable packages
- OpenSSF Scorecard — weekly supply-chain posture assessment
- Renovate — automated dependency updates including security patches
Branch protection, required checks, and secret scanning are configured in .github/settings.yml and applied via the Update Repo Settings workflow.