This project follows a simple versioning approach. Security updates will be applied to the latest version.
| Version | Supported |
|---|---|
| Latest | ✅ |
| Older | ❌ |
Please report security vulnerabilities if you discover:
- Exposed secrets or credentials in templates
- Unsafe 1Password CLI usage patterns
- Template logic that could leak sensitive information
- Insecure file permissions or configurations
- Vulnerabilities in dependencies
DO NOT create a public issue for security vulnerabilities.
Instead:
- Email: Create a private vulnerability report through GitHub's security tab
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if known)
- Initial Response: Within 96 hours
- Status Update: Within 1 week
- Resolution: Depends on complexity, typically within 2-4 weeks
- Acknowledgment of your report
- Investigation and validation of the issue
- Fix Development if vulnerability is confirmed
- Public Disclosure after fix is available
- Credit in release notes (if desired)
- All secrets are retrieved via 1Password CLI
- No secrets are stored in Git repository
- Templates fail safely if 1Password is unavailable
- SSH keys stored in 1Password vaults
- Active key rotation strategy documented
- No private keys in repository
- Templates validated for secret leakage
- Environment detection prevents inappropriate configs
- Conditional logic isolates work/personal data
- Keep 1Password CLI updated
- Use separate vaults for work/personal secrets
- Regularly rotate SSH keys in active-ssh-keys vault
- Review generated configs before applying
- Use encrypted age keys for additional secrets
We appreciate responsible disclosure of security vulnerabilities. Contributors who report valid security issues will be credited in release notes unless they prefer to remain anonymous.