| Version | Supported |
|---|---|
| latest | ✅ |
| < 1.0 | ❌ |
Do not report security vulnerabilities through public GitHub issues.
Use GitHub Security Advisories for private discussion and coordinated disclosure. This allows us to:
- Discuss the vulnerability privately
- Develop a fix before public disclosure
- Credit you for the discovery
If you cannot use GitHub Security Advisories, open a private security report by:
- Going to the repository's Security tab
- Clicking "Report a vulnerability"
- Including the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes
| Stage | Timeline |
|---|---|
| Initial response | 48 hours |
| Status update | 5 business days |
| Resolution target | 90 days |
The following are in scope for security reports:
- Container escape vulnerabilities
- Privilege escalation within the container
- Secret/credential exposure
- Supply chain vulnerabilities in dependencies
- CI/CD pipeline security issues
- Vulnerabilities in the upstream Claude CLI (report to Anthropic)
- Vulnerabilities in Docker itself (report to Docker)
- Social engineering attacks
- Physical attacks
This project implements the following security controls:
- Non-root container execution - Claude runs as unprivileged user
- Automated vulnerability scanning - Trivy scans on every build
- Dependency updates - Dependabot monitors for security updates
- Image signing - Cosign keyless signing with OIDC
- SBOM generation - Software Bill of Materials for every release
- Provenance attestations - Build provenance for supply chain security