Only the latest release receives security fixes.
| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
Please do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately via GitHub Security Advisories.
Include as much detail as possible:
- Description of the vulnerability and its potential impact
- Steps to reproduce (workflow file, command, output)
- Affected version (
pipeguard --version) - Suggested fix if you have one
| Step | Target |
|---|---|
| Acknowledgement | within 48 hours |
| Initial assessment | within 5 business days |
| Fix or mitigation | within 30 days for critical issues |
| Public disclosure | after fix is released |
- False negatives — a dangerous workflow pattern that PipeGuard does not detect
- False positives causing security bypass — a check that can be silenced by crafting malicious input
- Dependency vulnerabilities — vulnerabilities in PipeGuard's own dependencies (
pyyaml,click,rich,requests) - Supply-chain issues — compromised actions or dependencies in PipeGuard's own CI/CD
- Vulnerabilities in workflows that PipeGuard is designed to detect (report those to the affected project)
- Missing checks for patterns not yet on the roadmap — open a regular issue instead
- actionlint bugs — report those upstream at rhysd/actionlint
PipeGuard follows coordinated disclosure:
- Reporter submits the vulnerability privately
- Maintainer confirms, develops, and releases a fix
- A GitHub Security Advisory is published after the fix is available
- Reporter is credited in the advisory (unless they prefer to remain anonymous)
PipeGuard is a static analysis tool — it reads YAML files and never executes workflow code. Key design decisions relevant to security:
- Fully offline by default — no outbound network calls during a scan
- No secrets required — Free-tier scans need no API keys or tokens
- No code execution — workflow files are parsed, never run
- Read-only filesystem access — PipeGuard only reads files, never writes to the repository
If you find a way to make PipeGuard execute arbitrary code by crafting a malicious workflow file, please report it immediately — that would be a critical vulnerability.