If you discover a security vulnerability in @emisso/security, please report it responsibly:
- Do NOT open a public issue.
- Email security@emisso.ai with details of the vulnerability.
- Include steps to reproduce and potential impact.
- We will acknowledge receipt within 48 hours and provide a timeline for a fix.
This policy covers the @emisso/security SDK, CLI, and GitHub Action.
- Provider credentials — API keys passed to providers (Claude, Codex) are never logged or persisted.
- SARIF output — May contain code snippets from scanned repositories. Treat SARIF files as sensitive.
- Rule execution — Rules are markdown files parsed locally. Custom rules are not executed as code.
- CLI arguments — API keys should be passed via environment variables, not CLI flags.
| Version | Supported |
|---|---|
| 0.1.x | Yes |