GitNexus is developed on main. Security fixes are applied to the latest released minor on npm (gitnexus) and to the published Docker images (Dockerfile.cli, Dockerfile.web). Older minors are not back-patched.
Please do not open a public GitHub issue for security reports.
Use GitHub Private Vulnerability Reporting for this repository:
→ https://github.com/abhigyanpatwari/GitNexus/security/advisories/new
Please include:
- A description of the issue and its potential impact
- Steps to reproduce (a minimal repro repo or commit hash if possible)
- The affected version(s) —
npm view gitnexus version, image digest, or commit SHA - Any suggested mitigation
- Acknowledgement: best-effort within 5 business days, subject to maintainer capacity.
- Triage: we will confirm whether the report is in scope, request clarifications if needed, and propose a fix timeline.
- Disclosure: coordinated. We will agree on a disclosure date with you before publishing an advisory.
In scope:
- The
gitnexusCLI and MCP server (gitnexus/) - The
gitnexus-webthin client (gitnexus-web/) - The
gitnexus-sharedtypes package (gitnexus-shared/) - The published Docker images (
Dockerfile.cli,Dockerfile.web) - GitHub Actions workflows in
.github/workflows/
Out of scope:
- Vulnerabilities in third-party dependencies that we have no influence over (please report upstream; if a viable mitigation exists at the GitNexus layer, that's in scope).
- Issues requiring physical access to a developer machine or a compromised local environment.
- Theoretical attacks without a practical exploit against a default GitNexus deployment.
If you fork GitNexus or self-host it, we recommend enabling the following in your repository's Settings → Code security and analysis:
- Private vulnerability reporting — the channel described above.
- Dependabot alerts — alerts on advisories affecting your dependencies.
- Dependabot security updates — automated PRs for security patches (this repo's
.github/dependabot.ymlalready covers version updates). - Secret scanning and Push protection — blocks pushes that introduce known secret patterns. Defense-in-depth on top of the in-CI Gitleaks scan documented below.
- Code scanning — surfaces SARIF results from CodeQL, Trivy, Scorecard, and zizmor in one place.
This repository runs the following scans automatically. Findings appear under the repository's Security → Code scanning tab.
| Scan | Tool | Trigger | Action on finding |
|---|---|---|---|
| Static analysis (JS/TS, Python) | CodeQL | PR, main push, weekly |
Advisory (Security tab) |
| Dependency vulnerabilities (PR diff) | dependency-review-action |
PR | Blocks PR at high+ severity |
| Secret scanning | Gitleaks | PR, main push |
Blocks PR on default rules |
| Supply-chain posture | OpenSSF Scorecard | Weekly, main push |
Advisory (Security tab + public badge) |
| Workflow lint | zizmor | PR (touching .github/**) |
Blocks PR at high+ severity |
| Container image scan | Trivy | Weekly, main push |
Advisory (Security tab) |
Dependency version updates are managed separately by Dependabot — see .github/dependabot.yml.