This document expands on the top-level SECURITY.md with implementation details.
- bkt never stores plaintext credentials under version control. Tokens are read
from
$XDG_CONFIG_HOME/bkt/config.ymlwith permissions0600. - For development, set
BKT_CONFIG_DIRto a throwaway directory. - Never commit test credentials. Use environment variables or the
internal/config/testdatafixtures when unit testing.
- Dependabot is enabled for Go modules and GitHub Actions (
.github/dependabot.yml). - Run
go list -m -u allperiodically to spot stale modules. - CI runs OpenSSF Scorecard weekly.
- Release artifacts are built with GoReleaser (
goreleaser.yaml). - Each release publishes a checksum manifest and an SBOM generated via Syft.
- Container images (if built) are signed with cosign and accompanied by an SBOM.
- Triage the report and reproduce the issue.
- Assign a severity (CVSS) and determine the affected versions.
- Prepare a patch on a private branch. Request a security review from another maintainer.
- Tag a release with the fix and update
CHANGELOG.mdwith mitigation steps. - Notify the reporter and disclose publicly within seven days of the fix.
Email qrstuff@gmail.com. We prefer coordinated disclosure.