| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
- Do NOT create a public GitHub issue
- Use GitHub's private vulnerability reporting feature (Security tab > Report a vulnerability)
- Provide detailed information about the vulnerability
- Allow reasonable time for us to address the issue before public disclosure
This project implements the following security measures:
- Dependency Scanning: Automated scanning for known vulnerabilities in dependencies using govulncheck
- Static Analysis: Code is scanned for security issues using gosec
- Filesystem Scanning: Trivy scans for additional vulnerabilities and misconfigurations
- Credential Storage: Sensitive data is stored in OS keychain or encrypted files
- No Hardcoded Secrets: All credentials are provided by users at runtime
- Minimal Permissions: Cloud resources use least-privilege security groups
- Cloud provider credentials are stored in OS keychain where available
- Fallback storage uses encryption (NaCl secretbox)
- Credentials are never logged
- WireGuard keys are generated fresh for each session
This project runs automated security scans:
- govulncheck: Official Go vulnerability checker for dependencies
- gosec: Comprehensive Go security analyzer
- trivy: Filesystem and configuration scanner
Scans run on every push, pull request, and weekly on a schedule.