| Version | Supported |
|---|---|
| Latest release | ✅ Security fixes |
| Previous minor | ✅ Critical fixes only |
| Older | ❌ Not supported |
Do not open a public GitHub issue for security vulnerabilities.
Email: security@dashdiag.sh
We acknowledge within 48 hours and provide an initial assessment within 7 days.
Include: description, reproduction steps, affected version (dsd --version).
DashDiag is a read-only local CLI tool.
- Reads
/proc,/sys, and system files on the local machine - Executes read-only system commands (
timedatectl,systemctl show, etc.) - Saves state to
~/.dsd/(usage metrics, snapshots) - Optionally uploads snapshots to
dashdiag.sh(if--shareis used — not yet implemented, see PRIVACY.md)
- Writes to system directories (
/etc,/var,/sys,/proc) - Runs as a daemon or background service
- Opens listening network ports
- Modifies system configuration
- Requires root privileges (graceful fallback if not available)
cosign verify-blob \
--key https://raw.githubusercontent.com/keyorixhq/dashdiag/main/cosign.pub \
--signature dsd-linux-amd64.sig \
dsd-linux-amd64
sha256sum --check --ignore-missing checksums.txt~/.dsd.yaml — not encrypted, do not put secrets here.
~/.dsd/state.json — usage metrics only, no passwords or tokens.
All dependencies must have permissive licenses (MIT, Apache 2.0, BSD).
GPL/AGPL dependencies are not permitted. Verify: go-licenses check ./...