We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported | Status |
|---|---|---|
| latest | ✅ | Active development |
| < 1.0 | ❌ | Not supported |
We take the security of our pre-commit hooks seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via one of the following methods:
- GitHub Security Advisories: Create a security advisory (preferred)
- Email: Send details to security@[maintainer-email].com
Please include the following information to help us triage your report quickly:
- Type of issue (e.g., command injection, path traversal, privilege escalation)
- Full paths of source file(s) related to the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours
- Triage & Analysis: Within 7 days
- Resolution: Depends on severity
- Critical: Within 24-48 hours
- High: Within 7 days
- Medium: Within 30 days
- Low: Within 90 days
When developing or contributing hooks, please follow these security guidelines:
- Always validate and sanitize user inputs
- Use proper quoting for shell variables:
"$var"not$var - Avoid using
evalor similar dynamic execution
- Use absolute paths where possible
- Validate file paths to prevent directory traversal
- Check file permissions before operations
- Avoid constructing shell commands from user input
- Use command arrays instead of strings where possible
- Validate command existence before execution
- Never hardcode secrets or credentials
- Use environment variables for sensitive data
- Ensure secrets are not logged or displayed
- Verify external tool versions and compatibility
- Use specific versions rather than "latest"
- Check tool signatures/checksums when downloading
Our repository uses several security tools in CI/CD:
- Trivy: Vulnerability scanning
- Gitleaks/TruffleHog: Secret detection
- ShellCheck: Shell script analysis
- CodeQL: Static analysis
- Dependabot: Dependency updates
After a security vulnerability is fixed:
- We will publish a security advisory
- Credit will be given to the reporter (unless anonymity is requested)
- Details will be shared to help the community
When using these pre-commit hooks:
- Review hooks before use: Examine the source code
- Use specific versions: Pin to tagged releases
- Limit permissions: Run with minimal required privileges
- Monitor updates: Subscribe to security advisories
- Report issues: Help us maintain security
For any security-related questions that don't involve reporting a vulnerability, please open a discussion.
This security policy is adapted from the GitHub Security Policy template