relevant is designed as a local-first security relevance CLI.

• CVE relevance analysis runs against local manifests, inventory files, source files, SBOMs, and logs.
• IOC scans read local log files directly.
• No telemetry is collected.
• No project files, logs, indicators, or results are uploaded by default.

The current CLI does not make network requests during normal scans.

The import osv command fetches public advisory data from OSV only when explicitly requested by the user. It sends discovered package names, ecosystems, and versions to the configured OSV API endpoint and writes the normalized advisory records to a local file for later offline scans.

Future advisory import commands must document the target source and the identifiers being requested before they are enabled by default.

The tool may process sensitive local logs, secrets, inventories, and source code. Treat generated reports as sensitive unless reviewed.

The secrets module redacts obvious secret values in output, but it is heuristic and not a substitute for a dedicated secret-scanning product.

• CVE relevance depends on available advisory data, manifest coverage, inventory accuracy, and simple symbol reachability.
• YARA support currently handles literal string rules. It is not a full YARA engine.
• Sigma support currently handles simple keyword-style rules. It is not a full Sigma backend.
• CloudTrail and auth modules use deterministic heuristics for local triage.
• False positives and false negatives are expected.

Before public release, use private issue reporting in the repository or contact the maintainer directly. Do not publish exploit details until a fix is available.