ghast is actively maintained on the latest released version.
| Version | Supported |
|---|---|
| Latest release on PyPI | ✅ |
| Older releases | ❌ |
main branch (development snapshots) |
Best effort |
If you are unsure whether your version is supported, please upgrade to the latest release before reporting.
If you discover a security vulnerability in ghast itself (for example: code execution, unsafe file handling, dependency risks, or report-generation issues that could impact users), please report it privately.
- Open a private GitHub security advisory in this repository ("Report a vulnerability" in the Security tab).
- Open a regular GitHub issue with minimal details and request a private follow-up channel from the maintainers.
- Do not publish exploit details, proof-of-concept payloads, or sensitive data publicly before a fix is available.
Please include as much of the following as possible:
- A clear description of the issue and impact.
- Affected version(s) and installation method (PyPI/source).
- Reproduction steps and minimal proof of concept.
- Whether exploitation requires user interaction or special repository/workflow conditions.
- Any suggested mitigation or patch.
Maintainers will aim to:
- Acknowledge the report within 5 business days.
- Validate and triage severity.
- Develop and test a fix.
- Coordinate a release and disclosure timeline with the reporter.
For high-impact vulnerabilities, maintainers may prioritize an out-of-band patch release.
- Please follow responsible disclosure.
- We request at least 90 days before public disclosure, or until a patch is released (whichever comes first), unless otherwise coordinated with maintainers.
This policy covers vulnerabilities in this repository's source code, packaging, and release artifacts.
This policy does not cover:
- Misconfigurations in third-party repositories scanned by
ghast. - Best-practice findings in user workflows that are expected outputs of the tool.
When using ghast:
- Keep
ghastand dependencies up to date. - Run scans in CI on trusted runners.
- Review auto-remediation changes before merging.
- Use SARIF/JSON outputs as inputs to your secure development lifecycle and code scanning workflows.