| Version | Supported |
|---|---|
| 1.0.x | โ Yes |
| < 1.0 | โ No |
If you discover a security vulnerability in Locsight, please report it responsibly:
- Do NOT open a public issue
- ๐ง Email: Create a private security advisory
- Include:
- ๐ Description of the vulnerability
- ๐ Steps to reproduce
- ๐ฅ Potential impact
- ๐ก Suggested fix (if any)
| Action | Timeline |
|---|---|
| ๐ฌ Acknowledgment | Within 48 hours |
| ๐ Assessment | Within 1 week |
| ๐ง Fix release | Within 2 weeks |
Locsight includes a built-in Secrets Scanner that detects:
- ๐ AWS Access Keys
- ๐ GitHub Personal Access Tokens
- ๐ Google API Keys
- ๐ Private Keys (RSA, DSA, EC)
- ๐งฎ High-entropy strings (potential passwords/tokens)
โ ๏ธ All detected credentials are automatically masked before display. Only partial prefix/suffix is shown.
- ๐ซ Never commit secrets to source control
- ๐ Use
.analyzer.jsonto exclude sensitive directories - ๐ Add sensitive files to
.gitignore - ๐ Rotate any exposed credentials immediately
๐ก๏ธ Security is a shared responsibility. Thank you for helping keep Locsight safe.