Skip to content

Latest commit

 

History

History
61 lines (48 loc) · 3.81 KB

adding-a-security-policy-to-your-repository.md

File metadata and controls

61 lines (48 loc) · 3.81 KB
Raw
title intro redirect_from versions type topics shortTitle
Adding a security policy to your repository
You can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository.
/articles/adding-a-security-policy-to-your-repository
/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
/github/code-security/security-advisories/adding-a-security-policy-to-your-repository
fpt ghes ghec
*
*
*
how_to
Security policies
Vulnerabilities
Repositories
Health
Add a security policy

About security policies

To give people instructions for reporting security vulnerabilities in your project, you can add a SECURITY.md file to your repository's root, docs, or .github folder. Adding this file to this part(s) of your repository automatically creates a row with a description where people can review it. When someone creates an issue in your repository, they will see a link to your project's security policy.

You can create a default security policy for your organization or personal account. For more information, see "AUTOTITLE."

{% tip %}

Tip: To help people find your security policy, you can link to your SECURITY.md file from other places in your repository, such as your README file. For more information, see "AUTOTITLE."

{% endtip %}

{% ifversion fpt or ghec %} After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "AUTOTITLE." For more information about repository security advisories, see "AUTOTITLE."

{% data reusables.repositories.github-security-lab %} {% endif %} {% ifversion ghes %}

By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel. {% endif %}

For an example of a real SECURITY.md file, see https://github.com/electron/electron/blob/main/SECURITY.md.

Adding a security policy to your repository

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %}

  1. In the left sidebar, under "Reporting", click {% octicon "law" aria-hidden="true" %} Policy.
  2. Click Start setup.
  3. In the new SECURITY.md file, add information about supported versions of your project and how to report a vulnerability. {% data reusables.files.write_commit_message %} {% data reusables.files.choose-commit-email %} {% data reusables.files.choose_commit_branch %} {% data reusables.files.propose_file_change %}

Further reading

  • "AUTOTITLE"
  • "AUTOTITLE"{% ifversion fpt or ghec %}
  • [{% data variables.product.prodname_security %}]({% data variables.product.prodname_security_link %}){% endif %}