mirror of
https://github.com/mikefarah/yq.git
synced 2026-07-03 02:51:40 +00:00
Add SECURITY.md with security policy
Agent-Logs-Url: https://github.com/mikefarah/yq/sessions/f9ff8a4c-addc-485b-abb8-4103394851a4 Co-authored-by: mikefarah <1151925+mikefarah@users.noreply.github.com>
This commit is contained in:
parent
9e5309deaf
commit
48f249775f
26
SECURITY.md
Normal file
26
SECURITY.md
Normal file
@ -0,0 +1,26 @@
|
||||
# Security Policy
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Please **do not** report security vulnerabilities through public GitHub issues.
|
||||
|
||||
Instead, use GitHub's private vulnerability reporting feature:
|
||||
👉 https://github.com/mikefarah/yq/security
|
||||
|
||||
This allows vulnerabilities to be triaged and addressed confidentially before any public disclosure.
|
||||
|
||||
## Scope
|
||||
|
||||
### HTTP / TLS / Network vulnerabilities
|
||||
|
||||
yq is a command-line YAML/JSON/TOML processor that reads from files or standard input and writes to standard output. **yq does not include any HTTP or network libraries** and makes no network connections at runtime. CVEs related to HTTP, TLS, or networking are therefore **not applicable** to yq.
|
||||
|
||||
### Dependency version bumps
|
||||
|
||||
yq uses [Dependabot](https://docs.github.com/en/code-security/dependabot) to automatically raise pull requests for:
|
||||
|
||||
- Go module dependencies
|
||||
- Go toolchain version
|
||||
- Docker base images
|
||||
|
||||
Please **do not** raise pull requests or issues solely to bump dependency or Go versions — Dependabot handles this automatically and the maintainers merge those PRs regularly.
|
||||
Loading…
Reference in New Issue
Block a user