If you discover a security vulnerability in this project, please report it responsibly:

1. Do NOT open a public GitHub issue
2. Email the maintainers directly or use GitHub's private vulnerability reporting feature
3. Include detailed information about the vulnerability:
   • Description of the issue
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

This project implements several security controls:

• Uses execFile and execFileSync instead of exec to prevent shell injection
• Validates all user-provided git references against a strict pattern
• No user input is directly interpolated into shell commands

• All file paths are validated to ensure they remain within the working directory
• Symlinks are resolved and checked against the working directory
• Only .js and .mjs files are allowed for proof-of-concept execution

• Git references are validated with regex patterns
• File paths undergo realpath resolution and boundary checks
• Timeout and buffer limits on executed commands

• PoC execution is limited to Node.js scripts only
• 30-second timeout on PoC execution
• 1MB output buffer limit

This tool is designed to identify security vulnerabilities in code, including:

• Hardcoded secrets
• Injection vulnerabilities (SQL, XSS, Command Injection, SSRF)
• Broken access control
• Insecure data handling
• Authentication issues
• LLM safety concerns
• Privacy violations

When contributing to this project:

1. Never commit secrets or credentials
2. Run security analysis on your changes before submitting PRs
3. Follow secure coding practices
4. Keep dependencies up to date
5. Run npm audit regularly

• Dependencies are regularly updated
• npm audit is run to identify vulnerable dependencies
• Lock files are committed to ensure reproducible builds

This project is licensed under the Apache License 2.0. See LICENSE for details.