To report a security vulnerability, please send an email to me@jaredwray.com. Once the report has been validated, we will open a Github Security Advisory, if necessary.

We take the security of Docula seriously and have multiple layers of automated scanning in place to detect vulnerabilities as early as possible:

• Aikido Security: We use Aikido to continuously scan our codebase, dependencies, and infrastructure for vulnerabilities. You can review our public audit report by clicking the badge above.
• Pull Request Scans: Every pull request opened against the main branch is automatically scanned for security issues before it can be merged. This ensures that no new code lands in main without first being reviewed for known vulnerabilities, insecure dependencies, and common security pitfalls.
• CodeQL Analysis: We run GitHub CodeQL static analysis on pushes to main and on every pull request targeting main to identify potential security issues in our source code.

Docula is published to npmjs.org with npm package provenance enabled via GitHub Actions. Provenance statements provide cryptographically verifiable links between published packages and the source code and build process that produced them.

This means that when you install Docula from npm, you can verify:

• The exact source repository and commit the package was built from.
• The GitHub Actions workflow that built and published the package.
• That the package has not been tampered with between build and publish.

Our release workflow (.github/workflows/release.yaml) uses the --provenance flag when publishing, and the GitHub Actions runner is granted the id-token: write permission required to generate the signed provenance statement. You can verify the provenance of any published version directly on the Docula npm page or via npm audit signatures.