Do not open public GitHub issues for security vulnerabilities.
If you discover a security vulnerability in dcli, please email security@example.com with:
- Description - What is the vulnerability?
- Location - Which file(s) and line(s)?
- Impact - What could an attacker do?
- Reproduction - Steps to reproduce (if possible)
- Fix - Do you have a suggested fix?
We will:
- Acknowledge receipt within 48 hours
- Investigate and assess severity
- Develop and test a fix
- Release a patch version
- Credit you in the security advisory (unless you prefer anonymity)
-
Keep dcli updated - Always use the latest version
brew upgrade dcli
-
Validate configuration - Review
~/.dcli/config.yamlpermissionsls -la ~/.dcli/ chmod 600 ~/.dcli/config.yaml # Restrict to user only
-
Safe repository paths - Only configure repositories you trust
- Input validation - All paths and commands are validated
- Subprocess execution - Uses
exec.Command(no shell injection) - Error handling - Errors are wrapped with context
- No network calls - Local operations only (Docker and Git)
- Minimal dependencies - Only Cobra and yaml.v3
dcli uses:
- OpenSSF Scorecard - Supply chain security assessment
- GitHub's Code Scanning - Static analysis on all commits
- Automated testing - 15+ tests across platforms
- No authentication - dcli does not implement authentication
- File system access - Requires access to configured repositories and Docker
- Docker socket - Requires access to Docker daemon (usually root)
- Git credentials - Uses system Git configuration (SSH keys, credentials)
| Version | Status | Support |
|---|---|---|
| v0.1.x | Current | Actively maintained |
If a vulnerability is discovered that affects dcli:
- We will create a security advisory
- A patch release will be issued
- The advisory will be published on GitHub
- Users will be notified
- Day 0: Vulnerability reported
- Day 1: Acknowledgment sent
- Day 7: Fix developed and tested
- Day 10: Patch released and advisory published
- Day 14: Vulnerability disclosure (after patches available)
dcli follows:
- Security Issues: (via private report, no public email here)
- General Questions: GitHub Discussions
- Bug Reports: GitHub Issues
Thank you for helping keep dcli secure!