Please do not open a public GitHub issue for security vulnerabilities.
Report them privately so we can assess and address the issue before any public disclosure:
- Email: contact@savoirfairelinux.com
We aim to:
- Acknowledge your report within 48 hours
- Provide a confirmed assessment within 7 days
- Issue a fix and coordinated disclosure within 90 days (or sooner for critical issues)
Please include as much detail as possible: steps to reproduce, impact assessment, and any suggested fix.
Each agent cycle runs in an ephemeral Docker container hardened with:
--read-onlyroot filesystem--cap-drop ALL— no Linux capabilities granted--security-opt no-new-privileges:true- Only
/tmp(tmpfs, 256 MB,nosuid) and named volumes are writable - Isolated to the
ve-agent-netbridge network — no host network access
The host owns all push/review credentials and orchestrates network operations; the agent container never holds provider secrets.
Skill discovery is a per-project setting (projects.skill_discovery_enabled, default off) available to both coding and review projects — chosen in the project-setup form, not an environment flag. When enabled, the in-container agent loads team-defined skills from <repo>/.github/skills in the cloned repository. Skills are repository-controlled instructions executed by the agent, so they are a prompt-injection surface: a malicious or compromised repo could steer the agent. Mitigations:
- The setting is disabled by default; enable it only for repositories you trust.
- Only skills are loaded — MCP discovery (
enableConfigDiscovery) stays off, so untrusted.mcp.json/.vscode/mcp.jsonfiles are never honoured. - The agent still runs inside the hardened, network-isolated container described above and never holds provider push/review credentials.
The admin dashboard is protected by account-based authentication (username/password, DB-backed sessions). Admin users are managed via the Users tab (admin role required). Session tokens are opaque random values stored as SHA-256 hashes in the database. Bind the admin port to 127.0.0.1 in production.
ADMIN_AUTH_SECRET is an optional encryption key used to encrypt OAuth session tokens stored in the database. It is not used for admin authentication.
Provider credentials are stored encrypted in SQLite and masked on all admin API reads. Webhook secrets support per-integration rotation and are never returned in plaintext after initial creation.
All dashboard <script> tags use a per-request nonce. Bootstrap JSON embedded in the HTML is sanitised with Unicode escapes (\u003c, \u003e, \u0026) to prevent script injection through the JSON context.
Run npm audit regularly to detect vulnerable dependencies. We recommend pinning dependency versions in production deployments.