This project is currently in early development (0.1.x). Only the latest
release line receives security fixes.
| Version | Supported |
|---|---|
0.1.x |
✅ |
< 0.1 |
❌ |
If you find a security issue:
- Do not open a public GitHub issue.
- Use GitHub's private security advisory flow: repo → Security → Report a vulnerability. This keeps the report private until coordinated disclosure.
- Include:
- a clear description of the issue
- reproduction steps or a minimal proof-of-concept
- the affected version (
maintainability-agent --version) - your proposed severity (CVSS or informal)
You will receive an acknowledgement within 5 business days. If a fix is warranted, expect a coordinated disclosure timeline of up to 90 days depending on complexity.
This project runs deterministic static analysis against a local git repository and produces Markdown / JSON / SARIF artifacts. It does not execute scanned code, send any code to LLMs, or transmit data over the network unless the user explicitly opts in.
In-scope:
- arbitrary-write or arbitrary-read on the host filesystem outside the
configured
--root - shell-injection in any
gitcommand or subprocess call - prototype pollution / unsafe-deserialization in JSON / SARIF parsers
- denial-of-service via crafted config files or repository inputs
- secret leakage in generated reports
Out-of-scope:
- vulnerabilities in third-party analyzers whose output you ingest via
--sarif-input(report those upstream) - general code-quality findings — those belong in normal issues
- correctness bugs in the metrics themselves (file the issue or a PR)