To report a security vulnerability in this action, please use GitHub's private vulnerability reporting feature:
- Navigate to the Security tab of this repository
- Click "Report a vulnerability" and fill in the details
- GitHub will create a private advisory for discussion
Alternatively, email hugues@linux.com with vulnerability details.
Scope: This action only (not Kiro CLI itself)
Response Timeline
| Severity | Acknowledgment | Remediation |
|---|---|---|
| Critical/High | 48 hours | 14 days |
| Medium/Low | 5 business days | 30 days |
Once fixed and released, credit will be given to the reporter by name or pseudonym (your choice) in the release notes.
| Version | Supported | Status |
|---|---|---|
| v1.x | Yes | Active |
| < v1.0 | No | Unsupported |
Primary: hugues@linux.com
The main branch requires:
- All CI checks must pass (enforced via CI Result aggregate job)
- At least one approval before merge
- Commits must be signed (DCO)
- Release tags must be GPG-signed
- Renovate PRs trigger full CI test suite
- Fix will be developed and tested privately (GitHub Security Advisory)
- Release with fix will be published once patched
- Coordinated disclosure timeline: 30 days to patch before public disclosure
- Reporter will be credited in release notes
- Security advisory will be published alongside the release
This action:
- OpenSSF Best Practices Silver certified — fewer than 1% of open source projects reach this level (badge)
- Downloads binaries only from official AWS Kiro CLI releases (
desktop-release.q.us-east-1.amazonaws.com) - Uses GitHub Actions cache with version-specific keys
- Requires minimal permissions (
contents: read) - Does not store or transmit API keys (user-managed via secrets)
- All commits to
mainare GPG-signed; required by branch protection rules
- Kiro CLI vulnerabilities: Report to AWS Amazon Q Developer CLI
- Workflow security patterns: See examples/ and ASSURANCE.md for defensive guidance