Skip to content

Security: handlecusion/bluewright

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

If you find a vulnerability in Bluewright, do not include exploit details in a public issue. Use GitHub private vulnerability reporting if it is available for the repository, or open a minimal issue asking the maintainer to coordinate a private report channel.

Include:

  • affected command or module
  • impact summary
  • reproduction steps, if safe to share privately
  • suggested fix or mitigation, if known

Public Repository Safety

Bluewright workflows run on GitHub-hosted runners for public pull request events. Avoid running untrusted fork pull requests on persistent self-hosted runners because workflow code can execute on the runner machine.

Secrets

Bluewright reads GITHUB_TOKEN or GH_TOKEN only when cloning private GitHub repositories or reviewing pull requests. Do not commit tokens, generated artifacts, local cache directories, or downloaded repositories.

There aren't any published security advisories