The project is pre-1.0. Security fixes are applied to main first and released in the next SemVer tag when releases are cut.
Use GitHub's private vulnerability reporting for this repository when available:
https://github.com/RandomCodeSpace/code-signal/security/advisories/new
If GitHub private reporting is unavailable, email the maintainer with subject prefix [code-signal security] and include:
- affected version or commit,
- reproduction steps,
- expected impact,
- whether the issue is public anywhere else.
Do not file public issues for unpatched vulnerabilities.
The maintainer aims to acknowledge vulnerability reports within 72 hours and provide initial triage within 7 days. Confirmed high or critical issues are fixed before normal feature work.
code-signal is a local developer/CI CLI. It reads local source files and local git objects and emits aggregate reports. It must not make scanner-owned network calls, perform telemetry, download rules, install packages, or invoke external analyzers during scans.
Reports intentionally omit file-level findings, source snippets, line numbers, columns, clone groups, and per-file statistics to reduce accidental source disclosure.