Currently supported versions of Cerber Core with security updates:
| Version | Supported |
|---|---|
| 1.1.x | ✅ |
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in Cerber Core, please report it responsibly:
Email: st.pitek@gmail.com
Subject: [SECURITY] Cerber Core - [Brief Description]
Include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact (who is affected, what data is at risk)
- Affected versions (e.g., 1.0.0, 1.0.1)
- Suggested fix (if you have one)
- Your contact information (for follow-up)
- Acknowledgment: Within 24-48 hours
- Initial Assessment: Within 7 days
- Fix Timeline: 7-14 days (depending on severity)
- Public Disclosure: After fix is released and users have had time to update
We use the following severity classifications:
- Critical: Immediate risk of data breach, RCE, or complete system compromise
- High: Significant security risk affecting many users
- Medium: Moderate security risk with limited impact
- Low: Minor security issue or best practice violation
When using Cerber Core in your projects:
// ❌ BAD - Hardcoded API key
const schema = {
name: 'Backend',
apiKey: 'sk_live_abc123def456' // NEVER DO THIS!
};
// ✅ GOOD - Use environment variables
const schema = {
name: 'Backend',
apiKey: process.env.API_KEY
};# .env (keep in .gitignore!)
API_KEY=sk_live_abc123def456
DATABASE_URL=postgresql://localhost:5432/mydb
# .env.example (commit this for documentation)
API_KEY=your_api_key_here
DATABASE_URL=your_database_url_hereEnsure your .gitignore includes:
.env
.env.*
*.key
*.pem
secrets/
credentials.json
# Check for updates
npm outdated
# Update Cerber Core
npm update cerber-core
# Check for security vulnerabilities
npm audit
npm audit fix# Enable Dependabot (GitHub)
# Settings → Security & analysis → Dependabot alerts
# Enable npm audit in CI/CD
npm audit --audit-level=moderateWhen contributing to Cerber Core:
- All PRs require review before merge
- Security-sensitive changes require 2+ reviews
- Never merge your own PRs
- Review dependency changes carefully
- Check for known vulnerabilities:
npm audit - Prefer well-maintained, popular packages
- Verify package authenticity (typosquatting)
// ✅ GOOD - Validate user input
function validateSchema(schema: unknown): GuardianSchema {
if (!schema || typeof schema !== 'object') {
throw new Error('Invalid schema');
}
// ... more validation
}
// ❌ BAD - Trust user input
function validateSchema(schema: any) {
return schema; // No validation!
}// ❌ DANGEROUS
eval(userInput);
new Function(userInput)();
child_process.exec(userInput);
// ✅ SAFE
// Use safe alternatives or strict validationData Flow:
- ✅ Runs locally on developer's machine
- ✅ Does NOT send code to external services
- ✅ Does NOT make network requests
- ✅ Safe for proprietary/confidential codebases
Limitations:
⚠️ Can be bypassed withgit commit --no-verify⚠️ Relies on local .git hooks (not server-side)⚠️ Architect approvals are comments (not cryptographic)
Recommendations:
- Enforce Guardian in CI/CD pipeline (server-side validation)
- Use signed commits for critical projects
- Regularly audit architect approvals
Data Flow:
- ✅ Runs on your server/infrastructure
- ✅ No external API calls (unless you add them in health checks)
- ✅ Your data stays on your infrastructure
- ✅ Health check results are internal (not sent externally)
Limitations:
⚠️ Health checks run with application privileges⚠️ Diagnostic data may contain sensitive information⚠️ /api/health endpoint exposes system status
Recommendations:
// Secure health endpoint
app.get('/api/health', authenticateRequest, async (req, res) => {
const result = await cerber.runChecks();
// Filter sensitive data before responding
const sanitized = {
status: result.status,
// Omit diagnostics in production
issues: result.issues.map(i => ({
code: i.code,
severity: i.severity
// Remove: diagnostics, rootCause (may contain paths/secrets)
}))
};
res.json(sanitized);
});Data Flow:
- ✅ Runs locally on developer's machine
- ✅ No telemetry or usage tracking
- ✅ No external network requests
- ✅ Open source (audit yourself)
Limitations:
⚠️ Bash scripts execute with user privileges⚠️ Auto-repair can modify code (use --dry-run first)
Recommendations:
- Review scripts before running:
cat node_modules/cerber-core/solo/scripts/cerber-auto-repair.js - Use
--dry-runbefore applying changes - Backup code before auto-repair:
git commit -m "Before auto-repair"
Data Flow:
- ✅ Generates context files locally
- ✅ No external API calls
- ✅ .cerber/ directory is git-ignored by default
Limitations:
⚠️ FOCUS_CONTEXT.md may contain sensitive code⚠️ Module boundaries rely on developer discipline
Recommendations:
- Add
.cerber/to.gitignore - Review FOCUS_CONTEXT.md before sharing with AI
- Use module boundaries to limit context exposure
Cerber Core has undergone the following security reviews:
- Internal Audit: January 2026 - Stefan Pitek
- Community Review: Open for security researchers
Want to help? Review the code and report findings to st.pitek@gmail.com
- ✅ No personal data collection
- ✅ No tracking or analytics
- ✅ No cookies or external requests
- ✅ Open source (auditable)
- ✅ No data storage
- ✅ Local execution only
⚠️ Cerber Core itself is compliant (no data handling)⚠️ Your health checks may access sensitive data - implement appropriate controls
Security researchers who have responsibly disclosed vulnerabilities:
2026:
- Become the first!
We appreciate responsible disclosure and will credit researchers (with permission) who help improve Cerber Core's security.
Cerber Core implements strict supply chain security measures to protect users from software supply chain attacks.
- All maintainers MUST enable two-factor authentication for npm accounts
- Publishing requires authentication with 2FA verification
- Protects against account compromise
- Official releases published via GitHub Actions CI pipeline
- Prevents local machine drift and unauthorized releases
- Ensures reproducible builds from tagged commits
- Audit trail: every release linked to GitHub commit
- ❌ No
postinstall,preinstall,preparehooks - ❌ Cerber never executes arbitrary code during
npm install - ✅ Installation is side-effect free (except writing to
node_modules) - ✅ Safe to install in any environment
- Dependencies updated only via reviewed pull requests
- Security audits run on every PR:
npm audit - Minimal dependency footprint (only essential packages)
- Versions pinned in
package-lock.json
Cerber Core is safe to install:
npm install cerber-core --save-devWhat happens during install:
- ✅ Package downloaded from official npm registry
- ✅ Files extracted to
node_modules/cerber-core - ✅ Dependencies resolved and installed
- ❌ NO post-install scripts executed
- ❌ NO system modifications outside
node_modules - ❌ NO network requests beyond npm registry
- ❌ NO telemetry or tracking
You can verify package integrity:
# 1. Check package contents before install
npm pack cerber-core --dry-run
# 2. Audit dependencies
npm audit
# 3. Install with script protection (npm 7+)
npm install cerber-core --ignore-scripts
# 4. Verify package metadata
npm view cerber-core dist.integrityAll official Cerber Core releases:
- ✅ Tagged in GitHub with
v*pattern (e.g.,v1.1.7) - ✅ Have corresponding GitHub Release notes
- ✅ Published from
mainbranch only - ✅ Include
CHANGELOG.mdentry - ✅ Built via CI (GitHub Actions)
- ✅ Signed commits (when possible)
Verify release authenticity:
# Check npm version matches GitHub release
npm view cerber-core version
# Compare with GitHub releases
# https://github.com/Agaslez/cerber-core/releasesIf you suspect a compromised package or supply chain attack:
- Stop using the package immediately
- Email security report: st.pitek@gmail.com
- Check GitHub releases for official version verification
- Run
npm auditto detect known vulnerabilities - Review
package-lock.jsonfor unexpected changes
Security Issues: st.pitek@gmail.com
General Issues: https://github.com/Agaslez/cerber-core/issues
GitHub: @Agaslez
Last Updated: January 4, 2026
Version: 1.1.7