If you discover a security vulnerability in wrg-devguard (the Python package, the GitHub Marketplace composite action, or this repository's workflows), please report it responsibly.

Do not open a public issue.

Instead, please use GitHub's private vulnerability reporting.

• Description of the vulnerability
• Steps to reproduce
• Affected surface (PyPI package version / composite action / workflow / docs)
• Potential impact (data exposure, code execution, privilege escalation, …)
• Suggested fix or mitigation, if any

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix (if confirmed): as soon as practical, typically within 2 weeks

This policy covers:

• The wrg-devguard Python package published on PyPI.
• The composite action defined by action.yml (consumed via uses: WRG-11/wrg-devguard@<tag> in third-party workflows).
• The CI / publish workflows under .github/workflows/.
• Bundled scripts under scripts/ (e.g. json_to_sarif.py).

Out of scope (please report upstream):

• Vulnerabilities in transitive Python dependencies — open an issue with the upstream package and reference here for tracking.
• Vulnerabilities in third-party GitHub Actions consumed by our workflows — report to the action maintainers; we will pin / replace as needed.