mirror of
https://github.com/astral-sh/setup-uv.git
synced 2026-06-30 11:58:54 +00:00
Add a threat model for setup-uv (#923)
This adds a threat model for `setup-uv` so security scanners can use it as a baseline in terms of what's in-, and out of scope. The TM covers credential recipients, executable and cache boundaries, and release authority. It treats checkout-selected interpreters, paths, virtual environments, symlinks, and helpers as delegated project authority unless they override an explicit workflow choice or cross an independent cache, runner, remote, or publication boundary.
This commit is contained in:
committed by
GitHub
parent
224c887d48
commit
c86fe4ef1f
5
SECURITY.md
Normal file
5
SECURITY.md
Normal file
@@ -0,0 +1,5 @@
|
||||
# Security policy
|
||||
|
||||
Report suspected vulnerabilities according to [Astral's security policy](https://github.com/astral-sh/.github/blob/main/SECURITY.md).
|
||||
|
||||
For this repository's security boundaries and reporting criteria, see the [setup-uv threat model](docs/threat-model.md).
|
||||
Reference in New Issue
Block a user