If you discover a security vulnerability within this project, please send an e-mail to tiago.peczenyj+github@gmail.com.

All security vulnerabilities will be promptly addressed. We request that you do not report security-related issues through public GitHub issues.

structalign is a command-line developer tool that statically analyzes Go source you point it at. It makes no network calls and only reads the files and packages given as arguments — it never modifies them. The most relevant concerns are therefore issues in how it parses or type-checks untrusted source (e.g. a crash on malformed input). Reports of such issues are welcome via the e-mail above.

Release binaries are built by a scripted, consistent process — GoReleaser driven by a tagged commit through .github/workflows/release.yml — and each release artifact is published with a signed SLSA build provenance attestation generated by GitHub's attest-build-provenance action. The provenance records how and from what source the artifact was built, meeting SLSA Build Level 1.

To verify a downloaded artifact against its provenance (requires the GitHub CLI):

gh attestation verify structalign_<version>_<os>_<arch>.tar.gz --repo peczenyj/structalign

A successful run confirms the artifact was produced by this repository's release workflow and has not been tampered with since.