Please do NOT open a public GitHub issue for security vulnerabilities.
If you discover a security vulnerability in Quell, please report it responsibly via GitHub's private vulnerability reporting:
- Go to the Security tab
- Click "Report a vulnerability"
- Describe the issue in detail
You can also email directly at the address listed on the GitHub profile.
We aim to respond within 48 hours and will keep you updated throughout the fix process. We appreciate responsible disclosure.
| Version | Supported |
|---|---|
| 2.x | β Active support |
| 1.x | β No longer maintained |
Quell is built with a security-first architecture. The following principles are non-negotiable and any contribution that violates them will be rejected:
Quell makes zero network calls. No telemetry, no analytics, no external API calls of any kind. All secret detection runs entirely on your local machine.
Any PR that introduces network calls will be immediately closed.
Detected secrets are stored exclusively in VS Code's SecretStorage API, which maps to your OS Keychain (Windows Credential Manager / macOS Keychain / libsecret on Linux). They are never written to disk in plaintext and never transmitted anywhere.
The playground/.env and src/test/SecretScanner.test.ts files contain fake, clearly-example credentials for testing purposes only. They follow official documentation formats (e.g. AWS's own example key AKIAIOSFODNN7EXAMPLE) and have no real access to any systems.
All contributors must adhere to the following:
- Run Quell on your own changes β use
Ctrl+Shift+C(Copy Redacted) or scan the workspace - No real credentials β test fixtures must use obviously fake values (e.g.
sk_test_EXAMPLE, not a real key) - No new runtime dependencies that have network access or broad file system access
- All new regex patterns must include corresponding unit tests in
SecretScanner.test.ts npm run compilemust pass cleanly with zero TypeScript errorsnpm testmust pass with all existing test cases still passing
- All changes to
SecretScanner.ts(detection logic) β reviewed carefully for false positives and bypasses - All changes to
extension.ts(clipboard, file operations) β reviewed for data leakage risks - All changes to
package.jsonβ new dependencies are scrutinised - All changes to
.github/workflow files β reviewed for supply chain risks
The main branch requires:
- At least 1 approving review before merge
- All status checks to pass
- No force pushes
Dependencies are kept minimal by design. We use Dependabot to automatically open PRs for dependency updates on a weekly basis.
When reviewing Dependabot PRs:
- Check the changelog for the updated package
- Verify no new permissions or network capabilities have been introduced
- Run
npm testto confirm nothing is broken
The following are in scope for vulnerability reports:
- Secret detection bypasses (a malformed key that Quell fails to catch)
- False negative patterns (real credentials that regularly evade detection)
- Data exfiltration risks (anything that could send data off the machine)
- Privilege escalation via the VS Code extension host
The following are out of scope:
- False positives (non-secrets being flagged) β report as a regular GitHub issue
- Feature requests β open a regular GitHub issue
- Vulnerabilities in VS Code itself or third-party IDEs
We thank all security researchers who responsibly disclose issues. Significant findings will be credited in the changelog unless you prefer to remain anonymous.