The GitHub PI Scanner team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
Please include the following information (as much as you can provide):
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
We prefer all communications to be in English.
When we receive a security bug report, we will:
- Confirm the problem and determine the affected versions
- Audit code to find any similar problems
- Prepare fixes for all releases still under maintenance
- Release new security fix versions
Security updates will be released as soon as possible, and we will:
- Release patched versions
- Publish a security advisory on GitHub
- Credit the reporter (unless they prefer to remain anonymous)
We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < 1.0 | ❌ |
When using the GitHub PI Scanner:
- Always use local LLM providers - Never configure the scanner to send PI data to external services
- Secure your GitHub tokens - Use tokens with minimal required permissions
- Review scan results carefully - Ensure masked/redacted outputs before sharing
- Run in isolated environments - Consider using Docker or VMs for scanning untrusted repositories
- Keep the scanner updated - Always use the latest version for security patches
The PI Scanner implements several security measures:
- Local-only processing - All scanning happens on your infrastructure
- Automatic cleanup - Temporary files are securely deleted after scanning
- Configurable masking - PI values can be fully or partially redacted in outputs
- No data transmission - The scanner never sends data to external services by default
- Secure credential handling - GitHub tokens are never logged or exposed
For any security-related questions that don't need to be kept private, feel free to open a discussion in our GitHub repository.