If you discover a security vulnerability, please report it privately via GitHub Security Advisories.

Do not open a public issue for security vulnerabilities.

adit-code is a static analysis tool that reads source files and produces reports. It does not execute analyzed code, make network requests, or modify files. The attack surface is limited to:

• Maliciously crafted source files that could cause parser crashes (mitigated by tree-sitter's memory-safe parsing)
• Path traversal in file scanning (mitigated by restricting to specified paths)
• TOML config parsing (handled by well-tested BurntSushi/toml library)

Only the latest release is supported with security updates.