If you find a security vulnerability in staticpin, please report it through GitHub's private vulnerability reporting. This keeps the details private while we work on a fix.
Please include:
- What you found and how to reproduce it
- Which version you're using
- Any relevant logs or output (redact secrets)
This project ships with security hardening out of the box:
- CodeQL scans code for injection, SSRF, path traversal, and other dataflow vulnerabilities using the
security-extendedquery suite - Zizmor audits GitHub Actions workflows for excessive permissions, unpinned actions, credential exposure, and cache poisoning risks
- Dependabot keeps GitHub Actions pinned by SHA and opens PRs for updates, with a 7-day cooldown to avoid adopting compromised releases immediately
- All actions pinned by SHA with version comments, not floating tags
- Minimal workflow permissions (
permissions: {}at the top level, scoped per job) persist-credentials: falseon checkout steps to prevent token leakage
This is a volunteer-maintained open source project. Security reports are taken seriously, but there are no guaranteed response times.
Enterprise support is available, with priority response SLAs. Contact daniel@feldroy.com for details.
Security fixes are applied to the latest release on the main branch. There is no backport policy for older versions.