For security vulnerabilities, please use GitHub's private vulnerability reporting:
- Go to the Security tab
- Click "Report a vulnerability"
- Provide detailed information about the issue
Response times:
- Initial acknowledgment: Within 48 hours
- Severity assessment: Within 7 days
- Fix timeline varies by severity
Alternative: For sensitive issues that cannot be reported via GitHub, contact: security@ready-to-release.dev (TODO: establish)
This is a multi-module Go workspace. All modules are currently in active development:
| Module | Path | Status | Go Version |
|---|---|---|---|
| EaC Core | go/eac/core |
Active Development | 1.24+ |
| EaC Commands | go/eac/commands |
Active Development | 1.24+ |
| EaC MCP Commands | go/eac/mcp/commands |
Active Development | 1.24+ |
| EaC Specs | go/eac/specs |
Active Development | 1.24+ |
| R2R CLI | go/r2r/cli |
Active Development | 1.24+ |
Security patches are applied to the main branch and will be included in the next release.
This repository implements comprehensive security measures:
- Automated scanning: CodeQL, Trivy, Semgrep, OWASP ZAP
- Security commands:
r2r eac scanwith multiple scanner types - Continuous monitoring: Security workflows run on every push and PR
For detailed information, see our comprehensive documentation:
- Security Practices - Shift-left security, SAST, DAST, supply chain security
- Security Workflows - Automated security scanning
- Scan Command - Running security scans locally
- Code: MIT License
- Documentation: CC-BY-SA-4.0