Patchlens handles source diffs, repository metadata, API tokens, and optional business context. Please treat security and privacy issues seriously.
The main branch is the supported development line until the project starts publishing versioned releases.
Please do not open a public issue for vulnerabilities.
Use GitHub private vulnerability reporting if it is enabled for the repository. If it is not enabled, contact the repository owner or maintainer privately before publishing details.
Helpful reports include:
- A short description of the issue.
- Steps to reproduce.
- Impact and affected commands.
- Whether tokens, private diffs, comments, or provider responses can be exposed.
- Suggested fix, if you have one.
Patchlens may send the following data to configured services:
- MR/PR title, branches, file paths, and diffs.
- Optional business context file contents.
- Review comments posted back to GitLab or GitHub.
Patchlens stores tokens in a local config file. It redacts tokens in patchlens config show, but users are still responsible for protecting config files, shell history, CI logs, and screenshots.
Security fixes should:
- Avoid exposing secrets in errors, logs, tests, or documentation.
- Include regression tests where practical.
- Be released or documented promptly once fixed.
- Credit reporters when they want public credit.