DefaultRisk is a static analysis tool that reads Terraform plan JSON files. It does not make network calls, does not access cloud APIs, and does not handle credentials at runtime. The attack surface is limited to:

• Parsing untrusted JSON input (the plan file)
• File system writes (when using --out)

If you discover a security issue in DefaultRisk — for example, a way to achieve code execution through a crafted plan JSON, or a path traversal via the --out flag — please report it responsibly.

Email: Open a GitHub issue with the label security or contact the maintainers directly. Do not include exploit details in public issues.

We will acknowledge receipt within 48 hours and aim to release a fix within 7 days for confirmed issues.