We actively support and provide security updates for the following versions of Commit-AI:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
For detailed information about recent security fixes and vulnerability resolutions, see SECURITY_UPDATES.md.
The Commit-AI team takes security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing us at:
- Email: security@commit-ai.dev
- Subject: [SECURITY] Brief description of the issue
If you don't receive a response within 48 hours, please follow up via GitHub by creating an issue with minimal details (no exploit information) asking us to check our email.
Please include the following information in your security report:
- Description: A clear description of the vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Impact: Your assessment of the potential impact
- Affected Versions: Which versions of Commit-AI are affected
- Environment: OS, Go version, configuration details
- Proof of Concept: If possible, include a minimal proof of concept
- Suggested Fix: If you have ideas for how to fix the issue
Subject: [SECURITY] API Token Exposure in Configuration
Description:
Brief description of the vulnerability
Affected Versions:
- All versions prior to X.X.X
Steps to Reproduce:
1. Step one
2. Step two
3. Step three
Impact:
Description of potential impact
Environment:
- OS: Ubuntu 22.04
- commit-ai version: v1.0.0
- Configuration: [relevant config details]
Proof of Concept:
[Minimal reproduction case]
Suggested Fix:
[Your suggestions if any]
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Initial Assessment: We will perform an initial assessment within 5 business days
- Investigation: We will investigate and develop a fix
- Coordination: We will work with you to understand the issue and coordinate disclosure
- Release: We will release a security update and announce it publicly
- Credit: We will credit you for the discovery (unless you prefer to remain anonymous)
- Storage: API tokens should be stored securely in configuration files with appropriate file permissions (600)
- Environment Variables: Use environment variables for sensitive configuration in production
- Logging: API tokens are never logged or included in error messages
- Transmission: All API communications use HTTPS/TLS encryption
- Configuration files may contain sensitive information (API tokens)
- Set appropriate file permissions:
chmod 600 ~/.config/commit-ai/config.toml - Avoid committing configuration files to version control
- Use environment variables for sensitive values in CI/CD environments
- Commit-AI only reads git repository data, never writes
- No sensitive data from your repository is sent to AI providers
- Use
.caiignorefiles to exclude sensitive files from analysis - The tool respects existing
.gitignorepatterns
- All communications with AI providers use secure protocols (HTTPS)
- Only git diff data is sent to AI providers
- No personal information, credentials, or business logic is transmitted
- API tokens are transmitted securely using standard authentication headers
- Docker images use non-root users
- Minimal base images to reduce attack surface
- Regular updates to base images and dependencies
- No sensitive data baked into images
-
File Permissions: Ensure your config directory has proper permissions:
chmod 700 ~/.config/commit-ai chmod 600 ~/.config/commit-ai/config.toml
-
Environment Variables: Use environment variables for sensitive data:
export CAI_API_TOKEN="your-secret-token"
-
API Token Management:
- Use API tokens with minimal required permissions
- Rotate API tokens regularly
- Never commit API tokens to version control
-
Use .caiignore: Create
.caiignorefiles to exclude sensitive files:*.key *.pem secrets/ .env config/production.yml -
Review Diffs: Always review what changes will be analyzed before running commit-ai
-
Sensitive Data: Ensure no passwords, keys, or sensitive data are in your diffs
- Firewall: If using Ollama locally, ensure it's not exposed to external networks
- VPN: Use VPN when working with sensitive repositories on public networks
- HTTPS: Always use HTTPS endpoints for external AI providers
We regularly monitor and update our dependencies to address security vulnerabilities:
- Automated Scanning: GitHub Dependabot scans for vulnerable dependencies
- Security Advisories: We monitor security advisories for Go and our dependencies
- Update Policy: Security updates are prioritized and released quickly
- Recent Fixes: See SECURITY_UPDATES.md for recent vulnerability fixes
- Static Analysis: We use
gosecfor static security analysis - Dependency Scanning: Regular dependency vulnerability scanning
- Code Review: All changes undergo security-focused code review
- Configuration file security
- API token handling
- Network communications
- Input validation and sanitization
- Dependency vulnerabilities
- Docker container security
- Security of third-party AI providers (Ollama, OpenAI)
- Security of the underlying git repository
- Operating system or hardware security
- Network infrastructure security
In case of a security incident:
- Immediate Response: Assess and contain the issue
- User Notification: Notify affected users via GitHub security advisories
- Fix Development: Develop and test a security fix
- Release: Create emergency release with security fix
- Post-Incident: Conduct post-incident review and improve processes
- Security Email: security@commit-ai.dev
- General Issues: https://github.com/nseba/commit-ai/issues
- Discussions: https://github.com/nseba/commit-ai/discussions
We'd like to thank the following individuals for responsibly disclosing security vulnerabilities:
No vulnerabilities reported yet.
Last Updated: December 2024