If you discover a security vulnerability, please report it responsibly:

1. Do NOT open a public issue.
2. Email heznpc@gmail.com or use GitHub Security Advisories.
3. Include steps to reproduce, impact assessment, and suggested fix if possible.

We will respond within 48 hours and work with you to resolve the issue.

This template includes automated security checks in CI:

• Dependency audit — npm audit on every push (HIGH/CRITICAL threshold)
• Secret leak detection — gitleaks scans every commit
• Dependency updates — Dependabot monitors for vulnerable dependencies
• Dockerfile lint — Hadolint enforces best practices
• Container scan — Trivy detects CRITICAL/HIGH CVEs in built images

• Never commit .env files or secrets — they are gitignored by default
• Use GitHub Secrets for deployment credentials
• Keep dependencies up to date by merging Dependabot PRs