Only the latest release (or main) receives security fixes. Prefer upgrading to the newest tagged version.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
Do not open a public GitHub issue for security vulnerabilities.
Please report them privately using one of these:
- GitHub Security Advisories — Preferred if you have a GitHub account.
- Or contact the maintainer via GitHub profile / email listed there, with subject line including
SECURITY: devops-doctor.
Include:
- Description of the issue and impact
- Steps to reproduce (if possible)
- Affected versions or
go/ OS context if relevant
You should receive an initial response within a few days. We will coordinate a fix and disclosure timeline with you.
This project is a local CLI that runs diagnostic commands on the operator’s machine. It does not expose a network service. Reports about “RCE via malicious compose file” on the same machine as the operator are generally out of scope unless the tool introduces an unexpected trust boundary; still, we welcome discussion on the issue tracker for design improvements.
- Install from this repository or official releases; verify tags when fetching with
go install …@vx.y.z. - Run with least privilege; the tool may invoke
docker,kubectl, etc., with your user’s permissions.