Skip to content

feat: add SECURITY.md with vulnerability disclosure policy#28

Merged
shenxianpeng merged 1 commit into
mainfrom
feature/enhance-security-policy
Jul 9, 2026
Merged

feat: add SECURITY.md with vulnerability disclosure policy#28
shenxianpeng merged 1 commit into
mainfrom
feature/enhance-security-policy

Conversation

@shenxianpeng

@shenxianpeng shenxianpeng commented Jul 9, 2026

Copy link
Copy Markdown
Member

Simplified the org-level SECURITY.md following the style of cpp-linter/.github/SECURITY.md.

Changes:

  • Reporting a Vulnerability: Use GitHub Private Vulnerability Reporting link, with instructions to replace REPO with the actual repo name
  • Supported Versions: Only latest release receives security patches

From GAP_ANALYSIS_REPORT.md P0 Gap 1 — Missing security policy and vulnerability disclosure process

Summary by CodeRabbit

  • Documentation
    • Updated security vulnerability reporting instructions to use GitHub’s private reporting feature.
    • Clarified that only the latest release receives security patches.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

SECURITY.md now directs vulnerability reports to GitHub’s private reporting page and states that only the latest release receives security patches.

Changes

Security Policy

Layer / File(s) Summary
Reporting and support guidance
SECURITY.md
Replaces email-based vulnerability reporting instructions with GitHub private vulnerability reporting guidance and updates the supported-version policy to cover only the latest release.

Estimated code review effort: 1 (Trivial) | ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the change to introduce a SECURITY.md vulnerability disclosure policy.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/enhance-security-policy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Commit-Check ✔️

@shenxianpeng shenxianpeng force-pushed the feature/enhance-security-policy branch from e57d281 to 2d8fd2b Compare July 9, 2026 23:34
@shenxianpeng shenxianpeng changed the title feat: enhance SECURITY.md with comprehensive vulnerability disclosure policy feat: add SECURITY.md with vulnerability disclosure policy Jul 9, 2026
@shenxianpeng shenxianpeng merged commit 8170108 into main Jul 9, 2026
4 checks passed
@shenxianpeng shenxianpeng deleted the feature/enhance-security-policy branch July 9, 2026 23:35

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@SECURITY.md`:
- Around line 5-9: Replace the placeholder REPO in the GitHub private
vulnerability reporting URL within SECURITY.md with valid repository-specific
advisory links for commit-check, commit-check-action, and commit-check-mcp, or
clearly provide separate links for each repository.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 70da7989-4ab8-409a-ac79-bf7394f379d9

📥 Commits

Reviewing files that changed from the base of the PR and between 4a68c86 and 2d8fd2b.

📒 Files selected for processing (1)
  • SECURITY.md

Comment thread SECURITY.md
Comment on lines +5 to +9
If you discover a security vulnerability, please **do not** open a public
issue. Instead, report it privately via
[GitHub's private vulnerability reporting](https://github.com/commit-check/REPO/security/advisories/new)
on the affected repository (replace `REPO` with the actual repository name:
`commit-check`, `commit-check-action`, `commit-check-mcp`).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== SECURITY.md ==\n'
if [ -f SECURITY.md ]; then
  cat -n SECURITY.md
else
  echo "SECURITY.md not found"
fi

printf '\n== Repo root files ==\n'
git ls-files | sed -n '1,200p'

printf '\n== Search for security reporting links and repo names ==\n'
rg -n "security/advisories/new|commit-check|REPO|private vulnerability" -S .

Repository: commit-check/.github

Length of output: 3483


Use a real repository slug in the advisory link. The current URL still contains REPO, so reporters won’t reach the advisories page. Replace it with the affected repository name for commit-check, commit-check-action, and commit-check-mcp, or provide separate repo-specific links.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 5 - 9, Replace the placeholder REPO in the GitHub
private vulnerability reporting URL within SECURITY.md with valid
repository-specific advisory links for commit-check, commit-check-action, and
commit-check-mcp, or clearly provide separate links for each repository.

Source: MCP tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant