Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 8 additions & 13 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,16 @@
# Security Policy

If you find a security vulnerability in any Commit Check project, please report it privately.

## Reporting a Vulnerability

**Do not open a public GitHub issue.** Instead, send an email to:

**[xianpeng.shen@gmail.com](mailto:xianpeng.shen@gmail.com)**

Please include:

- Which project and version is affected
- A description of the issue and its impact
- Steps to reproduce (or a proof of concept)
If you discover a security vulnerability, please **do not** open a public
issue. Instead, report it privately via
[GitHub's private vulnerability reporting](https://github.com/commit-check/REPO/security/advisories/new)
on the affected repository (replace `REPO` with the actual repository name:
`commit-check`, `commit-check-action`, `commit-check-mcp`).
Comment on lines +5 to +9

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== SECURITY.md ==\n'
if [ -f SECURITY.md ]; then
  cat -n SECURITY.md
else
  echo "SECURITY.md not found"
fi

printf '\n== Repo root files ==\n'
git ls-files | sed -n '1,200p'

printf '\n== Search for security reporting links and repo names ==\n'
rg -n "security/advisories/new|commit-check|REPO|private vulnerability" -S .

Repository: commit-check/.github

Length of output: 3483


Use a real repository slug in the advisory link. The current URL still contains REPO, so reporters won’t reach the advisories page. Replace it with the affected repository name for commit-check, commit-check-action, and commit-check-mcp, or provide separate repo-specific links.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@SECURITY.md` around lines 5 - 9, Replace the placeholder REPO in the GitHub
private vulnerability reporting URL within SECURITY.md with valid
repository-specific advisory links for commit-check, commit-check-action, and
commit-check-mcp, or clearly provide separate links for each repository.

Source: MCP tools


You will receive an acknowledgment within 48 hours, followed by a plan for resolution.
We'll respond as quickly as possible and keep you updated throughout the
process.

## Supported Versions

Only the latest release of each project receives security patches. Please keep your dependencies up to date.
Only the latest release of each project receives security patches.