Skip to content

Security: CHashtager/patchlens

Security

SECURITY.md

Security Policy

Patchlens handles source diffs, repository metadata, API tokens, and optional business context. Please treat security and privacy issues seriously.

Supported Versions

The main branch is the supported development line until the project starts publishing versioned releases.

Reporting a Vulnerability

Please do not open a public issue for vulnerabilities.

Use GitHub private vulnerability reporting if it is enabled for the repository. If it is not enabled, contact the repository owner or maintainer privately before publishing details.

Helpful reports include:

  • A short description of the issue.
  • Steps to reproduce.
  • Impact and affected commands.
  • Whether tokens, private diffs, comments, or provider responses can be exposed.
  • Suggested fix, if you have one.

Sensitive Data

Patchlens may send the following data to configured services:

  • MR/PR title, branches, file paths, and diffs.
  • Optional business context file contents.
  • Review comments posted back to GitLab or GitHub.

Patchlens stores tokens in a local config file. It redacts tokens in patchlens config show, but users are still responsible for protecting config files, shell history, CI logs, and screenshots.

Maintainer Expectations

Security fixes should:

  • Avoid exposing secrets in errors, logs, tests, or documentation.
  • Include regression tests where practical.
  • Be released or documented promptly once fixed.
  • Credit reporters when they want public credit.

There aren't any published security advisories