We support the latest minor release and security patches.
| Version | Supported | Notes |
|---|---|---|
| 0.7.0 | ✅ Yes | Current stable release |
| 0.6.x | Security patches only | |
| < 0.6 | ❌ No | Please upgrade to 0.7.0 |
🔒 IMPORTANT: Do not use public GitHub issues for security vulnerabilities.
Report privately via GitHub Security Advisories
- Email: security@pyguard.dev (if configured)
- Direct contact: https://github.com/cboyd0319
- Initial Response: Within 3 business days
- Status Update: Within 7 days
- Resolution Target: 30 days for high/critical issues
We follow coordinated disclosure:
- Researcher reports vulnerability privately
- We confirm and develop fix
- We release patch
- Public disclosure after users have time to update (typically 7-14 days)
A good security report includes:
- Vulnerability Type - What kind of issue (injection, overflow, etc.)
- Affected Component - File paths, functions, or features affected
- Version Information - PyGuard version and Python version
- Steps to Reproduce - Clear, step-by-step instructions
- Proof of Concept - Safe, minimal code demonstrating the issue
- Impact Assessment - Severity, exploitability, and potential damage
- Suggested Fix - Optional, but helpful if you have ideas
- Credit Information - How you'd like to be credited (optional)
## Vulnerability Report
**Type:** [e.g., Command Injection]
**Severity:** [Low/Medium/High/Critical]
**Component:** [e.g., pyguard/lib/scanner.py, line 123]
**Version:** [e.g., PyGuard 0.3.0, Python 3.12]
### Description
[Brief description of the vulnerability]
### Steps to Reproduce
1. [First step]
2. [Second step]
3. [Result]
### Proof of Concept
```python
# Minimal code demonstrating the issue[Who is affected? What can an attacker do?]
[Optional: Your recommendation]
## Handling of secrets
- Never commit secrets. Use environment variables or secret managers.
- Required runtime secrets documented in README (Security section).
- PyGuard scans for hardcoded secrets — review warnings.
## Supply Chain Security
PyGuard implements comprehensive supply chain security measures:
### Release Security
- ✅ **Build Provenance:** Attestations generated via GitHub Actions OIDC
- ✅ **SBOM Generation:** SPDX 2.3 format attached to all releases
- 🔄 **Sigstore Signing:** Planned for future releases
- ✅ **Reproducible Builds:** Deterministic wheel generation
- ✅ **Checksum Verification:** SHA256 checksums for all artifacts
### Dependency Management
- **Total Dependencies:** 14 core packages (see `pyproject.toml`)
- **Version Pinning:** All dependencies pinned with **SHA256 hashes** for tamper protection
- **Hash Verification:** `requirements.txt` and `requirements-dev.txt` include cryptographic hashes
- **Automated Scanning:**
- pip-audit (PyPI Advisory Database)
- OSV-Scanner (Google's Open Source Vulnerabilities)
- Safety DB (security vulnerabilities)
- **Update Strategy:** Dependabot weekly updates with security priority
- **License Compliance:** MIT, Apache-2.0, BSD-2/3-Clause allowed
📚 **See [docs/DEPENDENCY_MANAGEMENT.md](docs/DEPENDENCY_MANAGEMENT.md) for detailed dependency security practices**
### Verification
You can verify PyGuard releases:
```bash
# Download release and verify checksum
wget https://github.com/cboyd0319/PyGuard/releases/download/v0.3.0/pyguard-0.3.0.tar.gz
sha256sum -c checksums.sha256
# Verify SBOM
wget https://github.com/cboyd0319/PyGuard/releases/download/v0.3.0/pyguard-0.3.0.spdx.json
# Review SBOM for dependencies
PyGuard helps you find:
- Hardcoded secrets (API keys, passwords, tokens)
- SQL/Command/NoSQL injection patterns
- Unsafe deserialization (pickle, yaml.load)
- Weak cryptography (MD5, SHA1, DES)
- Path traversal vulnerabilities
- Insecure random number generation
- Review Auto-Fixes - Always review changes before committing
- Keep Updated -
pip install --upgrade pyguardregularly - Backup First - PyGuard creates
.pyguard_backups/automatically - Sandbox Scans - Run in CI/CD, not on production systems
- Review Logs - Check
logs/pyguard.jsonlfor issues - Start with Scan-Only - Use
--scan-onlyfirst, then apply fixes - Use in CI/CD - Integrate with GitHub Actions for continuous scanning
- Read Security Docs - See
security/SECURE_CODING_GUIDE.md - Run Security Tests -
pytest tests/test_security*.py - Use Pre-Commit Hooks - Automated security checks
- Follow Threat Model - See
security/THREAT_MODEL.md - Report Issues Privately - Use GitHub Security Advisories
PyGuard itself is continuously scanned with:
- CodeQL - Weekly security analysis (Python extended queries)
- Bandit - SAST for Python security issues
- Semgrep - Advanced pattern matching (security-audit, OWASP, CI rules)
- OSSF Scorecard - Supply chain security rating
- Dependency Review - Blocks vulnerable dependencies in PRs
- Gitleaks - Secrets detection in commits
- ✅ SHA-pinned actions - All actions pinned to full commit SHAs
- ✅ Minimal permissions - Least-privilege access per workflow
- ✅ OIDC authentication - No long-lived credentials
- ✅ Workflow isolation - Proper concurrency and branch protection
- ✅ SARIF uploads - Security findings in GitHub Security tab
- 📋 Risk Ledger -
security/RISK_LEDGER.md - 🎯 Threat Model -
security/THREAT_MODEL.md - 📚 Secure Coding Guide -
security/SECURE_CODING_GUIDE.md - 🔍 Custom Security Rules -
security/POLICIES/semgrep/ - 🚀 Security Quickstart -
docs/security/SECURITY_QUICKSTART.md - 📄 Security Summary -
docs/security/SECURITY_SUMMARY.md
We appreciate security researchers who help make PyGuard safer:
No vulnerabilities reported yet - be the first!
When you report a vulnerability, you can be listed here (with your permission).
- 🏆 OSSF Scorecard: Target 9+/10
- ✅ OpenSSF Best Practices Badge: In Progress
- 🔒 CVE-Free: No known vulnerabilities in current release
- Security Team: https://github.com/cboyd0319
- Public Discussion: GitHub Discussions (for non-security issues)
- Updates: Watch this repo for security advisories
Last Updated: 2025-10-19
Next Review: 2026-01-19