CheckYourself is local-first and does not run a hosted service, but security reports still matter because the tool handles project context and may inspect files that contain sensitive signals.
The public main branch is the supported version until tagged releases begin.
Please do not post real secrets, private customer data, or exploit details in a public issue.
For now, report security concerns through the GitHub repository by opening an issue with a redacted summary and marking it clearly as security-sensitive. If GitHub private vulnerability reporting is enabled for the repo, use that path instead.
Include:
- what file, command, or workflow is affected;
- why it could expose data, secrets, or unsafe behavior;
- a redacted reproduction;
- the CheckYourself version or commit tested;
- the safest suggested fix, if known.
Security reports should be triaged before normal feature requests.
The maintainer should:
- acknowledge the report;
- reproduce or request the smallest missing evidence;
- patch the issue in the smallest reversible change;
- add or update a test when possible;
- note the fix in the changelog.
CheckYourself output must never include live secret values. If you find a path that prints credentials, treat it as a P0/P1 issue and redact the evidence in the report.