Please report suspected vulnerabilities privately via GitHub Security Advisories (Security → Report a vulnerability) on this repository, rather than opening a public issue. You'll get an acknowledgement and a fix timeline.
The v1.0.0 security review (#78) found no High/Critical issues. The code-level findings are addressed:
- Supply chain (M/L). Every GitHub Actions
uses:is pinned to a full 40-character commit SHA (with the version in a trailing comment); Dependabot'sgithub-actionsupdater keeps the SHAs current. - Least privilege (L).
test.ymlandlint.ymldeclarepermissions: { contents: read };docs.yml/release.ymlalready scope their tokens explicitly. - Secret at rest (L).
~/.psc/config.yaml(which may hold an API key) is created0600atomically viaos.open(..., O_CREAT|O_TRUNC, 0o600)— there is no world-readable window between create andchmod— and the parent~/.pscdirectory is0700. A pre-existing looser file is repaired on write. - Keep the key off disk. Set
PSC_API_KEYin the environment to override the profile's storedapi_key(precedence: env > config file), so the secret need never be written to disk. - Transport (L). TLS verification is on by default. When a profile runs with
--insecure(verify_ssl=false), psc now emits a loudInsecureTLSWarningon every live connection — especially the password-bearing key-fetch — because credentials cross the wire MITM-able. Never use--insecureagainst production Panorama.
These are configuration, not code, and must be enabled in the GitHub repo Settings → Code security:
- Enable Dependabot alerts (finding #3): surfaces newly-disclosed CVEs against the locked dependency set between the weekly version-update PRs.
Informational findings #7 (floating >= lower bounds, mitigated by the
hash-pinned uv.lock + uv sync --frozen), #8 (advisory cross-check clean),
and #9 (strong branch protection) require no action.