Security Policy

Supported Versions

TFLint always supports only the latest version and does not provide security updates for older versions.

Reporting a Vulnerability

If you find a vulnerability, please do not report it in an issue or a discussion. You can discuss vulnerabilities internally with maintainers using private vulnerability reporting.

Please do not just report the results of a security scanner such as Trivy. In many cases, maintainers are already aware of the existence of vulnerable libraries via Dependabot alerts. We welcome reports of exploits and their impact that you have analyzed based on the output of security scanners.