STACKITGit/cli
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Document dependency CVE policy in SECURITY.md

Browse source 
Clarify that a dependency having a CVE does not mean gh has a
vulnerability. We use govulncheck for reachability analysis and
ask reporters to demonstrate impact before we act on dependency CVE
reports.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Kynan Ware 2026-04-08 11:28:30 -06:00
parent 97ba17b98a
commit 73d65ed701
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/SECURITY.md vendored
View file

@ -11,6 +11,8 @@ If you believe you have found a security vulnerability in GitHub CLI, you can re
**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.** **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
A dependency having a CVE does not mean `gh` has a vulnerability. We use [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) to determine whether vulnerable symbols are actually reachable from `gh`'s code. If you are reporting a dependency CVE, please include evidence that the issue is exploitable in `gh`: a call chain into the affected symbols or a proof of concept. Reports that only list a dependency version and CVE without demonstrating impact will be closed.
Thanks for helping make GitHub safe for everyone. Thanks for helping make GitHub safe for everyone.
[private vulnerability reporting]: https://github.com/cli/cli/security/advisories [private vulnerability reporting]: https://github.com/cli/cli/security/advisories