Do not open a public issue for security reports.

• Report privately through repository security advisories.
• Include reproduction details, impact, and affected files/modules.
• If possible, include a minimal proof-of-concept.

• Initial acknowledgement: within 2 business days
• Triage update: within 7 business days
• Remediation plan or mitigation: as soon as validated

• Secret scanning in CI (repo-hygiene workflow with gitleaks)
• Dependency review on pull requests
• Dependabot automation for actions/docker/pip
• Environment-driven runtime credentials in compose
• Policy lint workflow for YAML policy checks

• Never commit .env, key files, or private credentials.
• Use .env.example as template only.
• Rotate runtime secrets regularly.
• Ensure release artifacts include checksum verification.

Run locally:

lake exe security
lake exe validate

These commands are also executed in CI quality gates.