Please report security issues privately.
Do not include real secrets, private keys, access tokens, or proprietary source code in reports. Use redacted examples whenever possible.
Security reports should include:
- affected version or commit
- operating system
- command used
- expected behavior
- actual behavior
- sanitized reproduction steps
ShipCheck is designed to avoid uploading source content. If you find behavior that leaks source code, secrets, or sensitive metadata unexpectedly, treat it as a security issue.