Hotspots makes no network requests.

When you run hotspots, it:

• Reads source files from your local filesystem
• Invokes git log and related git subprocesses locally
• Writes results to your local filesystem (.hotspots/ directory)

It does not transmit your source code, analysis results, file paths, metrics, or any telemetry to any external server. There is no analytics, no update check, and no remote endpoint of any kind. You can verify this by inspecting the dependency tree — there are no HTTP client dependencies.

We follow Semantic Versioning. Security fixes are released as patch versions and tagged immediately.

Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private vulnerability reporting to report a vulnerability confidentially. We aim to acknowledge reports within 48 hours and provide a fix or mitigation within 14 days for critical issues.

Every push to main and every pull request runs:

A weekly scheduled scan runs:

Results are visible in the GitHub Security tab.

SBOMs in CycloneDX and SPDX format are attached to every GitHub Release as hotspots-<version>-sbom.cdx.json and hotspots-<version>-sbom.spdx.json.

Note: SBOM generation is planned for a future release. This section will be updated when SBOMs are available.

Release binaries are signed using Sigstore cosign keyless signing via GitHub Actions OIDC. Signatures are recorded in the Rekor transparency log.

To verify a downloaded binary:

cosign verify-blob \
  --certificate-identity "https://github.com/Stephen-Collins-tech/hotspots/.github/workflows/release.yml@refs/tags/v*" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --bundle hotspots-<version>-<platform>.bundle \
  hotspots-<version>-<platform>

Note: cosign signing is planned for a future release. Bundles will be attached to each GitHub Release once implemented.