Skip to content

Security: pedroluna-gh/preflightops

Security

SECURITY.md

Security Policy

PreflightOps is designed to help teams identify risky production changes before deployment.

Because it may process operational metadata, Terraform plans, Kubernetes manifests, service catalogs, and change requests, users should treat inputs carefully.


Supported versions

PreflightOps is currently in early development.

Version Supported
0.1.x Yes

Reporting a vulnerability

Please report security issues privately.

If this project is hosted on GitHub, use GitHub Security Advisories when available.

Otherwise, contact the maintainer directly.

Do not open public issues for vulnerabilities involving:

  • credential exposure;
  • secret handling;
  • unsafe parsing;
  • command execution;
  • sensitive report output;
  • workflow permission abuse.

Sensitive data warning

Do not paste real secrets into PreflightOps.

Avoid uploading:

  • API keys
  • tokens
  • passwords
  • private keys
  • kubeconfigs
  • cloud credentials
  • customer data
  • internal URLs
  • incident data with confidential details

Terraform plans and Kubernetes manifests can contain sensitive values. Review before sharing or committing them.


Current security model

PreflightOps currently:

  • runs locally;
  • does not require a database;
  • does not call external APIs;
  • does not send data to AI services;
  • does not require authentication;
  • produces local Markdown and JSON reports.

This makes it simple to audit, but it also means users are responsible for controlling where input files and reports are stored.


GitHub Actions permissions

The example GitHub Action requests:

permissions:
  contents: read
  pull-requests: write

This is needed to read repository content and comment on pull requests.

If you do not need PR comments, remove pull-requests: write.


Recommended safe usage

  • Run PreflightOps on sanitized examples first.
  • Avoid committing generated reports if they contain sensitive information.
  • Review Terraform plans before storing them in the repository.
  • Avoid using production secrets in Kubernetes examples.
  • Prefer placeholder values in documentation and tests.

There aren't any published security advisories