We actively support the following versions of the SCAN Gradle Plugin with security updates:

We take the security of the SCAN Gradle Plugin seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: <>

If you prefer, you can also report vulnerabilities through our private security contact form at: [Contact Form Link]

Please include the following information in your report:

• Description: A clear description of the vulnerability
• Impact: What kind of impact the vulnerability might have
• Reproduction: Step-by-step instructions to reproduce the issue
• Affected Versions: Which versions of the plugin are affected
• Environment: Details about your environment (Gradle version, OS, etc.)
• Proof of Concept: If possible, include a minimal proof of concept
• Suggested Fix: If you have ideas for how to fix the issue

• Initial Response: We will acknowledge receipt of your report within 48 hours
• Status Update: We will provide a detailed response within 7 days indicating next steps
• Resolution: We aim to resolve critical vulnerabilities within 30 days
• Disclosure: We will coordinate with you on the timing of public disclosure

When a security vulnerability is confirmed:

1. Patch Development: We develop and test a fix
2. Security Advisory: We prepare a security advisory
3. Release: We release patched versions for all supported releases
4. Notification: We notify users through:
   • GitHub Security Advisories
   • Release notes
   • Project documentation updates
   • Community channels (if applicable)

• Keep Updated: Always use the latest supported version
• Secure Configuration: Review your scan configuration files for sensitive data
• Access Control: Restrict access to scan reports and configuration files
• CI/CD Security: Ensure your CI/CD pipelines handle scan results securely

• Version Control: Be careful not to commit actual secrets in custom pattern files
• Testing: Use placeholder values when testing custom patterns
• Distribution: Avoid sharing pattern files that might contain sensitive regex patterns

• Storage: Store scan reports securely and limit access
• Transmission: Use secure channels when sharing scan results
• Retention: Implement appropriate retention policies for scan reports
• Redaction: Consider redacting sensitive parts of reports when sharing

• The plugin scans files in your project directory structure
• Scan results may contain sensitive information fragments
• The plugin does not transmit data externally by default

• We regularly audit our dependencies for known vulnerabilities
• Security updates for dependencies are prioritized
• We maintain a minimal dependency footprint

• The plugin requires read access to your project files
• Scan configuration files should be protected appropriately
• Generated reports may contain sensitive data snippets

• Entropy-based Detection: Identifies high-entropy strings that may be secrets
• Context-aware Scanning: Reduces false positives by understanding code context
• Configurable Sensitivity: Allows tuning detection sensitivity
• Whitelist Support: Enables exclusion of known safe patterns

• Local Processing: All scanning happens locally on your machine
• No Data Transmission: The plugin doesn't send data to external servers
• Configurable Output: You control what information appears in reports

We follow responsible disclosure practices:

1. Private Reporting: Initial reports should be made privately
2. Investigation Period: We investigate and develop fixes privately
3. Coordinated Release: We coordinate public disclosure with reporters
4. Credit: We provide appropriate credit to security researchers

• Critical Vulnerabilities: 90 days maximum from initial report
• High Severity: 120 days maximum from initial report
• Medium/Low Severity: 180 days maximum from initial report

Earlier disclosure may occur if:

• A fix is available and deployed
• The vulnerability becomes publicly known
• The reporter agrees to earlier disclosure

• Security Email: <>
• GPG Key: [Public GPG Key for encrypted communications]
• Security Team: [@security-team-handle]

For general questions about this security policy, please open a public issue on our GitHub repository.

We would like to thank the following individuals for responsibly disclosing security vulnerabilities:

No security reports have been received yet.

Last Updated: 02.07.2025
Policy Version: 1.0

This security policy is inspired by industry best practices and will be updated as our project evolves.