| Version | Supported |
|---|---|
| main | Yes |
If you discover a security vulnerability in this repository, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Affected components (workflows, hooks, agents, etc.)
- Potential impact
- Acknowledgment: Within 48 hours
- Assessment: Within 1 week
- Fix: Depends on severity — critical issues are prioritized
This security policy covers:
- GitHub Actions workflows
- Hook scripts
- DevContainer configuration
- Any secrets handling patterns or examples in documentation
When using this toolkit in your repositories:
- Never commit secrets — use GitHub repository secrets or environment variables
- Review hook scripts before enabling them — they execute on your machine
- Pin workflow versions — use
@shaor@taginstead of@mainin production - Audit MCP servers — review MCP server packages before connecting them to your editor
- Restrict PAT scopes — grant only the minimum permissions needed