vibe-sentinel is currently in v0.1.0-alpha. Security fixes are handled on the main branch until the project reaches a stable release cadence.

If you find a security issue in vibe-sentinel itself, please avoid posting exploit details, real secrets, private repository data, or sensitive payloads in a public issue.

Recommended report content:

• A short description of the issue type
• Affected command or surface, such as CLI, Web console, or GitHub Action
• Minimal reproduction steps using dummy data
• Expected vs. actual behavior
• Your environment, including OS and Node.js version

If a public issue is necessary, keep it high level and use placeholders such as dummy-token instead of real credentials.

Vibe Sentinel is a lightweight local-first scanner. It does not upload source code, does not install project dependencies, and does not execute the scanned project.

The scanner uses high-signal heuristic rules, so results can include false positives and false negatives. It should complement, not replace, secure code review, dependency scanning, secret scanning, SAST, DAST, penetration testing, or compliance review.

Do not paste real credentials into issues, pull requests, examples, screenshots, or test fixtures. If a secret was committed accidentally, rotate it immediately and remove it from Git history using an appropriate secret-removal workflow.