Security updates are provided for the latest release and the default branch (e.g. main). We recommend always using the latest release or the pinned ref your workflow checks out.
| Version / branch | Supported |
|---|---|
| Latest release | ✅ |
| Default branch | ✅ |
| Older releases | ❌ |
Please do not report security vulnerabilities in public issues. Report them privately so we can fix them before disclosure.
- Preferred: Use GitHub Security Advisories (click Report a vulnerability on the Security tab). This keeps the report private and allows coordinated disclosure.
- Alternative: Email the maintainers privately if you cannot use GitHub (e.g. contact details in the repo or org profile).
- Clear description of the vulnerability and impact.
- Steps to reproduce (or a proof of concept) if possible.
- Affected version(s) or commit range.
- Any suggested fix or reference, if you have one.
- Acknowledgment: We aim to acknowledge your report within 48–72 hours.
- Updates: We will keep you informed of progress and any decision (accepted / declined / duplicate).
- Fix and disclosure: We follow coordinated disclosure. We will work on a fix and plan a release and security advisory; we ask that you do not make the issue public until a fix is available or we agree on a disclosure date (typically within 90 days of report).
- Credit: We are happy to credit you in the advisory and release notes unless you prefer to remain anonymous.
Thank you for helping keep AI-SAST and its users safe.