Commit Guard by Shopycorn Ltd
Security

Commit Guard Security

This page explains how to report security issues in Commit Guard, which release path is supported, and what to expect from Shopycorn Ltd during triage.

Vendor: Shopycorn Ltd Last updated: 7 April 2026 support@shopycorn.co.uk

Commit Guard can process source code, commit diffs, workflow metadata, provider configuration, and model outputs. Because of that, security issues affecting review data, secrets, workflow execution, or provider behavior matter.

1. Supported Versions

Security fixes are focused on the current Marketplace release line.

  • Latest public Marketplace release: supported
  • Previous release line, when still active: best effort
  • Development snapshots, forks, and unpublished local builds: not supported release targets

2. What to Report

Please report issues that could affect:

  • exposure of secrets, API keys, or provider credentials
  • unintended transmission of repository content or review data
  • unsafe command execution, hook behavior, or local process interaction
  • workflow or commit-gate bypass with real security impact
  • provider or integration misuse that changes where code or telemetry is sent

General bugs, AI false positives, or UX problems without security impact should be reported through normal support channels instead.

3. How to Report

Please report security issues privately by email:

Use a subject line like Commit Guard Security Report and include:

  • affected version
  • IntelliJ IDE version and operating system
  • steps to reproduce
  • impact and affected provider or integration, if any
  • proof of concept, with secrets redacted where possible

Do not open public GitHub issues for undisclosed security vulnerabilities.

4. What to Expect

We aim to:

  • acknowledge initial reports within 5 business days
  • confirm whether we can reproduce and triage the issue as quickly as practical
  • coordinate disclosure once a fix or mitigation is available

Some reports may depend on third-party services such as Ollama, OpenAI, GitHub services, or Sonatype Nexus IQ. In those cases, we may coordinate with the vendor or ask you to report directly to the affected platform when the issue is outside Commit Guard itself.

5. Safe Reporting

If you act in good faith, avoid privacy violations, service disruption, or unnecessary data exposure, and give us a reasonable opportunity to investigate before public disclosure, we will treat the report as a good-faith effort to improve the product.

6. Contact

Shopycorn Ltd
support@shopycorn.co.uk

For the full repository security policy, see the private product repository maintainers' documentation. For legal terms, see the Developer EULA.