feat: add SECURITY.md with vulnerability disclosure policy#28
Conversation
📝 WalkthroughWalkthroughSECURITY.md now directs vulnerability reports to GitHub’s private reporting page and states that only the latest release receives security patches. ChangesSecurity Policy
Estimated code review effort: 1 (Trivial) | ~3 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Commit-Check ✔️ |
e57d281 to
2d8fd2b
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@SECURITY.md`:
- Around line 5-9: Replace the placeholder REPO in the GitHub private
vulnerability reporting URL within SECURITY.md with valid repository-specific
advisory links for commit-check, commit-check-action, and commit-check-mcp, or
clearly provide separate links for each repository.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| If you discover a security vulnerability, please **do not** open a public | ||
| issue. Instead, report it privately via | ||
| [GitHub's private vulnerability reporting](https://github.com/commit-check/REPO/security/advisories/new) | ||
| on the affected repository (replace `REPO` with the actual repository name: | ||
| `commit-check`, `commit-check-action`, `commit-check-mcp`). |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== SECURITY.md ==\n'
if [ -f SECURITY.md ]; then
cat -n SECURITY.md
else
echo "SECURITY.md not found"
fi
printf '\n== Repo root files ==\n'
git ls-files | sed -n '1,200p'
printf '\n== Search for security reporting links and repo names ==\n'
rg -n "security/advisories/new|commit-check|REPO|private vulnerability" -S .Repository: commit-check/.github
Length of output: 3483
Use a real repository slug in the advisory link. The current URL still contains REPO, so reporters won’t reach the advisories page. Replace it with the affected repository name for commit-check, commit-check-action, and commit-check-mcp, or provide separate repo-specific links.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@SECURITY.md` around lines 5 - 9, Replace the placeholder REPO in the GitHub
private vulnerability reporting URL within SECURITY.md with valid
repository-specific advisory links for commit-check, commit-check-action, and
commit-check-mcp, or clearly provide separate links for each repository.
Source: MCP tools
Simplified the org-level SECURITY.md following the style of cpp-linter/.github/SECURITY.md.
Changes:
REPOwith the actual repo nameFrom GAP_ANALYSIS_REPORT.md P0 Gap 1 — Missing security policy and vulnerability disclosure process
Summary by CodeRabbit