Reference
Security
EGC follows OpenSSF Best Practices. All security-sensitive code is covered by CodeQL analysis and Dependabot.
Security posture
🔍
CodeQL
Static analysis on every PR and weekly scheduled scans. Covers JavaScript and TypeScript.
🤖
Dependabot
Automated dependency update PRs. Grouped by ecosystem (npm). Security alerts enabled.
🏆
OpenSSF Scorecard
Weekly automated scoring. Checks branch protection, signed releases, CI, and more.
Reporting a vulnerability
Do not open public GitHub issues for security vulnerabilities.
Public disclosure before a fix is available puts all users at risk.
Private GitHub Advisory
github.com/Fmarzochi/EGC/security/advisories/newResponse timeline
Acknowledgment Within 72 hours
Status update Within 14 days
Resolution or mitigation Within 90 days of confirmed vulnerability
Scope
In scope
- scripts/
- mcp/servers/
- install.sh, install.ps1
- hooks/, skills/
Out of scope
- Third-party dependency vulnerabilities
- Issues requiring physical machine access
- DoS against local-only runtime
- Behaviors requiring write access to host