LegacyFixer
Security model
LegacyFixer is designed around controlled access, repository-level settings, and review-first changes.
Access model
- LegacyFixer is installed only on selected repositories approved for controlled access.
- The first scan should use passive monitoring.
- Pull request creation is optional and controlled per repository.
- LegacyFixer does not auto-merge pull requests.
Repository handling
LegacyFixer scans dependency files and records operational scan results. During controlled access, use public, non-sensitive repositories only.
Do not submit secrets, private logs, tokens, confidential source code, or production-sensitive repositories for an initial onboarding run.
Security reports
To report a suspected security issue, use the branded security contact address that will be published before public onboarding opens. Use the subject “LegacyFixer security report”.
Please include a concise description, affected URL or repository if applicable, reproduction steps if safe to share, and your contact address.