Skip to content

Add repository security policy (SECURITY.md)#137

Merged
toddysm merged 2 commits into
mainfrom
docs/security-policy
Jul 2, 2026
Merged

Add repository security policy (SECURITY.md)#137
toddysm merged 2 commits into
mainfrom
docs/security-policy

Conversation

@toddysm

@toddysm toddysm commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Summary

Adds a SECURITY.md security policy at the repo root, describing how to report vulnerabilities in the CSSC framework and its published artifacts.

Details

Adapted from the Notary Project / Helm Community security policies, scoped to this repo. Covers:

  • Reporting a vulnerability via GitHub private security advisories (when/what/when-not to report, response SLA, public disclosure).
  • Supported versions — latest release receives security fixes.
  • Scope — reusable workflows + composite actions, CSSC Dashboard images (ghcr.io/toddysm/apps/cssc-dashboard/*), Helm charts (oci://ghcr.io/toddysm/charts).

Once merged, GitHub will surface this under the repo Security tab / "Report a vulnerability" flow, providing the URL that the #134 security-policy annotation can point at.

Closes #136.

Copilot AI review requested due to automatic review settings July 2, 2026 15:28
@toddysm toddysm added the documentation Improvements or additions to documentation label Jul 2, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a repository-level SECURITY.md to document how to privately report vulnerabilities affecting this repo and its published artifacts, enabling GitHub’s Security tab / “Report a vulnerability” flow and providing a stable target for future security-policy metadata links.

Changes:

  • Introduces a root-level security policy describing the preferred reporting channel (GitHub private security advisories) and expected response timeline.
  • Defines supported versions policy (security fixes for the latest release).
  • Clarifies scope for reports (workflows/actions, CSSC Dashboard images, Helm charts) and what is out of scope.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread SECURITY.md Outdated
@toddysm
toddysm merged commit e5ca595 into main Jul 2, 2026
3 checks passed
@toddysm
toddysm deleted the docs/security-policy branch July 2, 2026 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Create a security policy (SECURITY.md)

2 participants