Skip to content

Security: FasterApiWeb/fork-shepherd

Security

SECURITY.md

Security Policy

Supported versions

Version Supported
v1.x (latest @v1) Yes
Older tags Best effort

Reporting a vulnerability

Please do not open a public issue for security problems.

  1. Email the FasterApiWeb maintainers via the contact listed on the organization profile, or use GitHub Private vulnerability reporting on this repository if enabled (Security → Advisories → Report a vulnerability).
  2. Include impact, steps to reproduce, and affected versions/tags when possible.
  3. Allow reasonable time for a fix before public disclosure.

Secrets and tokens

  • Never commit PATs, App private keys, or .pem files.
  • Consumers should store FORK_SYNC_PAT as an Actions secret.
  • Maintainers should store RELEASE_APP_* (or RELEASE_TOKEN) as Actions secrets only.
  • This action authenticates Git over HTTPS with an Authorization header; do not embed tokens in remote URLs in contributions.

Scanning

CI runs leash-secrets on pushes and pull requests. Critical findings block the check.

There aren't any published security advisories