We take security vulnerabilities seriously. If you discover a security vulnerability in Devgraph CLI, please report it privately.

1. Email: Send details to [email protected]
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Acknowledgment: Within 24 hours
• Initial Assessment: Within 72 hours
• Resolution: Security fixes are prioritized and typically released within 7 days for critical issues

1. Triage: We assess the severity and impact
2. Fix Development: We develop and test a fix
3. Disclosure: We coordinate disclosure with the reporter
4. Release: Security fix is released with advisory

• Uses OIDC (OpenID Connect) for secure authentication
• JWT tokens with proper validation
• Automatic token refresh with secure storage
• Environment-based access controls

• Credentials stored in OS-specific secure locations
• No sensitive data in logs
• HTTPS for all API communications
• Private module handling with secure Git configuration

• Static Analysis: Gosec, CodeQL, and GoLint security rules
• Dependency Scanning: Govulncheck for known vulnerabilities
• Secret Scanning: TruffleHog for committed secrets
• License Compliance: Automated license checking
• SARIF Reports: Security findings uploaded to GitHub Security tab

• Pinned Actions: All GitHub Actions use specific versions
• Minimal Permissions: Workflows use least-privilege principle
• Secret Management: Secure handling of build secrets
• Supply Chain: Dependency review on all PRs

• Security Linting: Comprehensive golangci-lint configuration
• Error Handling: Mandatory error checking with errcheck
• Input Validation: All user inputs validated
• Safe Defaults: Secure-by-default configuration

Run security scans locally:

# Run all security checks
make security

# Individual security scans
make vuln-check          # Vulnerability scanning
golangci-lint run        # Static analysis with security rules
go install github.com/securecodewarrior/gosec/cmd/gosec@latest
gosec ./...              # Gosec security scanner

• Keep CLI updated to latest version
• Verify binary checksums when downloading
• Use environment-specific configurations
• Regularly rotate authentication tokens
• Report suspicious behavior immediately

• Follow secure coding practices
• Run security scans before committing
• Never commit secrets or credentials
• Use parameterized queries for any database operations
• Validate all inputs and sanitize outputs
• Implement proper error handling

• Uses local redirect server on localhost:8080
• Tokens stored in OS keychain/credential manager
• PKCE (Proof Key for Code Exchange) used for additional security

• All API calls use HTTPS
• Certificate validation enforced
• Timeout configurations prevent hanging requests

• Configuration files have restricted permissions
• Temporary files cleaned up after use
• Path traversal protection implemented

Security updates are released as patch versions and communicated through:

• GitHub Security Advisories
• Release notes with [SECURITY] prefix
• Email notifications to registered users (if applicable)

For security-related questions or concerns:

• Security Team: [email protected]
• General Support: [email protected]

We appreciate security researchers who responsibly disclose vulnerabilities and help improve Devgraph CLI's security posture.