Latest main only. Tagged releases follow the same support model as the main branch at the time of the release.

Report vulnerabilities to ob@coroboros.com. Do not open public issues, MRs, or comments for security problems.

Expected initial response: within 5 business days.

Coordinated disclosure preferred. A fix window of 30 days is the default before public disclosure; we will agree on a different window when the severity demands it.

This repository builds the scanner bundle image consumed by skillward. In scope:

• Supply chain of the build — a pinned source or base image that resolves to a compromised artifact, a build step that fetches unverified content, or a missing checksum on a downloaded binary.
• Image hardening — the image runs non-root (scanner, uid 10000) with no entrypoint; a privilege or escape path baked into the image is in scope.
• Provenance — every published image is multi-arch, container-scanned, and cosign-signed with a CycloneDX SBOM attestation, via the shared coroboros/ci template. A signing or attestation gap is in scope.

Detection quality of the bundled scanners is upstream — the rules are inherited from each tool and refreshed by rebuild, never authored here.