Security & Privacy
How we protect your codebase by staying purely offline.
Zero Data Leakage
In an era of AI-driven tools, your source code is often treated as training data. gitresolve takes a different path. We believe your code is your most valuable asset.
100% Offline
The tool contains no networking code. It cannot send your code to a remote server because it doesn't know how to talk to the internet.
CWE-22 Sandboxing
Every file operation uses os.Root to ensure no read/write can escape the repository root. Path traversal is mathematically impossible.
DoS Protection
A mandatory 10MB gate prevents memory exhaustion. Maliciously oversized conflict files are skipped and escalated to manual review.
Advisory Locking
Uses native flock(2) and LockFileEx. Safe from PID-reuse attacks and race conditions in concurrent CI pipes.
Integrity & Privacy
gitresolve uses a multi-stage verification and privacy process to ensure that resolutions are not just "done" but "correct" and "private".
- 01.
PII Privacy (Hashing)
Sensitive file content or conflict blocks are never stored in plain text in debug logs. We use 12-char SHA-256 hashes for event correlation.
- 02.
Syntax Validation
The merged code is passed through a language-specific syntax checker. If the merge creates invalid syntax, the operation is rolled back.
- 03.
Supply Chain Security
All releases are signed via Cosign (OIDC) and include a CycloneDX SBOM. Binaries are verifiable against the public Rekor transparency log.
Vulnerability Disclosure
Security issues should be reported privately according to the process in SECURITY.md at the repository root. Avoid opening public issues for unpatched vulnerabilities.