-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
📖 Update security policy to be specific to OpenSSF Scorecard #4212
Conversation
Signed-off-by: Stephen Augustus <[email protected]>
Signed-off-by: Stephen Augustus <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4212 +/- ##
==========================================
+ Coverage 60.17% 61.89% +1.71%
==========================================
Files 212 212
Lines 15556 15552 -4
==========================================
+ Hits 9361 9626 +265
+ Misses 5492 5206 -286
- Partials 703 720 +17 |
Taking a look at "the inherited SECURITY.md from ossf/.github" Should we also mention either:
? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to Jeff's suggestion on fallback mention.
I'm otherwise happy with the content, but will leave for others to review
Signed-off-by: Stephen Augustus <[email protected]>
Co-authored-by: Spencer Schrock <[email protected]> Signed-off-by: Stephen Augustus <[email protected]>
Ironically this may cause subprojects to only score a 9/10 for |
I was thinking the same, but initially decided to leave it out, as I think we should have our own list for this eventually. |
@spencerschrock — Good call-out! I've opened #4215 so we don't lose that thread. |
What kind of change does this PR introduce?
(Is it a bug fix, feature, docs update, something else?)
What is the current behavior?
The current security policy was last updated three years and appears to be boilerplate from Google open source projects.
What is the new behavior (if this is a feature change)?**
This updated security policy is specific to the OpenSSF Scorecard project and considers:
Which issue(s) this PR fixes
Partially addresses #4194.
Special notes for your reviewer
Tagging a few different groups for review here, as the new standard for OpenSSF Scorecard subproject security policies should be something along the lines of:
(to minimize drift across the project)
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note
(In particular, describe what changes users might need to make in their
application as a result of this pull request.)