Ralph is currently maintained on the latest main branch only.
Please do not disclose security vulnerabilities in public GitHub issues.
Report privately with:
- a clear description of the issue
- reproduction steps or a proof of concept
- potential impact
- any suggested mitigation
Until a dedicated security contact is configured, open a private security advisory in GitHub if available for the repository owner, or contact the maintainer through a private channel already established for repository administration.
Please report issues such as:
- secret leakage
- command injection
- unsafe workflow privilege escalation
- token exposure
- cross-repo permission bypass
- webhook verification bypass
- We will validate the report and assess impact.
- We may ask for additional reproduction details.
- Please allow reasonable time for a fix before public disclosure.