We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

1. Do NOT create public GitHub issues for security vulnerabilities
2. Email: Report vulnerabilities privately via GitHub Security Advisories
   • Go to the Security tab and create a new advisory
3. Include: A clear description of the vulnerability, steps to reproduce, and potential impact

• We will acknowledge receipt within 48 hours
• We aim to provide an initial assessment within 7 days
• We will keep you informed of our progress
• We will credit you in the security advisory (if desired)

This project implements several security controls:

• CI/CD Security: All workflows use explicit least-privilege permissions
• Dependency Scanning: Automated vulnerability scanning via Trivy and Dependabot
• Secret Detection: Pre-commit hooks with Gitleaks for secret scanning
• Code Analysis: CodeQL for static analysis
• Container Security: Hadolint for Dockerfile best practices
• Supply Chain: OpenSSF Scorecard monitoring and SHA-pinned GitHub Actions