Skip to content

Document dependency CVE policy in SECURITY.md#13119

Merged
BagToad merged 1 commit intotrunkfrom
kw/security-md-dep-cve-policy
Apr 8, 2026
Merged

Document dependency CVE policy in SECURITY.md#13119
BagToad merged 1 commit intotrunkfrom
kw/security-md-dep-cve-policy

Conversation

@BagToad
Copy link
Copy Markdown
Member

@BagToad BagToad commented Apr 8, 2026
edited
Loading

Adds a paragraph to SECURITY.md clarifying that a dependency having a CVE does not mean gh has a vulnerability. We use govulncheck for symbol-level reachability analysis, and we ask reporters to demonstrate exploitability before we act on dependency CVE reports.

@BagToad
Document dependency CVE policy in SECURITY.md
73d65ed 
Clarify that a dependency having a CVE does not mean gh has a
vulnerability. We use govulncheck for reachability analysis and
ask reporters to demonstrate impact before we act on dependency CVE
reports.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BagToad BagToad requested a review from a team as a code owner April 8, 2026 17:28
@BagToad BagToad requested review from babakks and Copilot April 8, 2026 17:28
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the security reporting guidance to clarify how dependency CVEs are handled for gh, emphasizing reachability analysis via govulncheck and requiring reporters to demonstrate exploitability/impact.

Changes:

  • Add a policy note that a dependency CVE alone does not imply a gh vulnerability.
  • Document the use of govulncheck for symbol-level reachability analysis.
  • Ask dependency CVE reporters to include a call chain or PoC demonstrating impact in gh.
Show a summary per file
File Description
.github/SECURITY.md Adds guidance on dependency CVE reports, including reachability/exploitability expectations and closure criteria for low-signal reports.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

@BagToad BagToad merged commit 2119383 into trunk Apr 8, 2026
24 checks passed
@BagToad BagToad deleted the kw/security-md-dep-cve-policy branch April 8, 2026 17:38
@inventelpk-cell inventelpk-cell mentioned this pull request Apr 13, 2026
Open
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@williammartin williammartin williammartin approved these changes

@babakks babakks Awaiting requested review from babakks babakks is a code owner automatically assigned from cli/code-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BagToad @williammartin