Skip to content

Security: RandomCodeSpace/code-signal

SECURITY.md

Security Policy

Supported versions

The project is pre-1.0. Security fixes are applied to main first and released in the next SemVer tag when releases are cut.

Reporting a vulnerability

Use GitHub's private vulnerability reporting for this repository when available:

https://github.com/RandomCodeSpace/code-signal/security/advisories/new

If GitHub private reporting is unavailable, email the maintainer with subject prefix [code-signal security] and include:

  • affected version or commit,
  • reproduction steps,
  • expected impact,
  • whether the issue is public anywhere else.

Do not file public issues for unpatched vulnerabilities.

Response target

The maintainer aims to acknowledge vulnerability reports within 72 hours and provide initial triage within 7 days. Confirmed high or critical issues are fixed before normal feature work.

Security model

code-signal is a local developer/CI CLI. It reads local source files and local git objects and emits aggregate reports. It must not make scanner-owned network calls, perform telemetry, download rules, install packages, or invoke external analyzers during scans.

Reports intentionally omit file-level findings, source snippets, line numbers, columns, clone groups, and per-file statistics to reduce accidental source disclosure.

There aren't any published security advisories