Thanks for helping keep ansede-static safe and trustworthy.
| Version | Supported |
|---|---|
| 1.x | ✅ Current |
| < 1.0 | ❌ No longer supported |
- Private security vulnerabilities:
- Non-sensitive bugs / false positives / false negatives:
- GitHub Issues templates
- General questions:
- GitHub Discussions
If you discover a security vulnerability in ansede-static, please do not open a public issue.
Instead, use GitHub private vulnerability reporting:
When reporting, please include:
- A description of the vulnerability
- Steps to reproduce
- Impact assessment (if known)
We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.
Include as much of the following as possible:
- Affected version(s)
- Reproduction steps / minimal sample
- Security impact (confidentiality / integrity / availability)
- Potential CWE mapping (if known)
- Any proposed mitigation or patch direction
ansede-static is a static analysis tool — it reads source code but never executes it. Security concerns include:
- False negatives — missing a real vulnerability in scanned code
- ReDoS — a crafted input causing the regex engine to hang
- Path traversal — if directory scanning follows symlinks outside the intended scope
We follow coordinated disclosure. If you report a vulnerability, we will:
- Confirm receipt and begin investigation
- Develop and test a fix
- Release a patched version
- Credit you in the release notes (unless you prefer anonymity)
Please avoid posting exploit details publicly until a fix is available.