Skip to content

Security: XavierAgostino/macstrap

SECURITY.md

Security Policy

macstrap bootstraps a machine: it installs software via Homebrew, applies dotfiles, and downloads a prebuilt binary. Security reports are taken seriously.

Supported versions

Only the latest release (and main) receive security fixes.

Reporting a vulnerability

Please do not open a public issue for security problems.

Report privately via GitHub security advisories ("Report a vulnerability"). You should get an initial response within a few days.

What macstrap does to stay safe

  • Checksum-verified binary installsinstall.sh downloads release binaries and verifies them against the GoReleaser-published checksums.txt before installing; if verification fails it falls back to the auditable shell engine in the cloned repo.
  • No secrets in the repo — identity, emails, and signing keys live in machine-local chezmoi config; a gitleaks config and pre-commit hook guard against accidental commits, and macstrap security audits the local posture.
  • Previewable, reversible changesmacstrap install --dry-run shows the plan; macstrap uninstall backs up before removing.
  • Pinned, reviewed dependencies — Dependabot watches Go modules and GitHub Actions.

Reports about the one-line curl | bash installer, the checksum path, the release pipeline, or anything that could make a fresh-Mac bootstrap execute untrusted code are especially welcome.

There aren't any published security advisories