XS✔ ◾ Add Security Documentation and SBOM#731
Merged
muiriswoulfe merged 6 commits intomainfrom Mar 6, 2026
Merged
Conversation
muiriswoulfe
added
documentation
Member
Author
PR Metrics✔ Thanks for keeping your pull request small.
Metrics computed by PR Metrics. Add it to your Azure DevOps and GitHub PRs! |
muiriswoulfe
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Adds security/governance documentation and enhances the release pipeline to publish a CycloneDX SBOM, aligning PR Metrics with stronger supply-chain and project hygiene practices.
Changes:
- Added new security documentation covering scanning policy, assurance case, assessment, secrets, and dependency management.
- Added/updated project docs for governance, roadmap, and support lifecycle; expanded contributing guide with testing guidance.
- Updated release workflow to generate and attach a CycloneDX SBOM; added OpenSSF Best Practices badge to README.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/security-scanning-policy.md | New security scanning policy document (SCA/SAST/VEX), including remediation thresholds and enforcement. |
| docs/security-assurance.md | New security assurance case with trust boundaries, threat model, and verification mechanisms. |
| docs/security-assessment.md | New security assessment/threat analysis and mitigations for key risks. |
| docs/secrets-management.md | New policy doc describing secrets used, storage, access control, and rotation. |
| docs/dependency-management.md | New doc outlining dependency selection, tracking, updates, and scanning. |
| ROADMAP.md | New roadmap describing stable/maintenance-oriented direction. |
| README.md | Adds OpenSSF Best Practices badge. |
| GOVERNANCE.md | New governance model and sensitive-access roles description. |
| .github/workflows/release-publish.yml | Generates CycloneDX SBOM during release publish and uploads it as an artifact + release asset. |
| .github/SUPPORT.md | Replaces/expands support info with lifecycle and getting-help guidance. |
| .github/CONTRIBUTING.md | Adds testing instructions and test policy for major changes. |
…n for clarity and consistency - Improved language and formatting in CONTRIBUTING.md, SUPPORT.md, GOVERNANCE.md, and ROADMAP.md. - Enhanced links for better navigation and accessibility. - Clarified roles and responsibilities in governance documentation.
- Refactor sections for improved readability. - Standardize formatting for consistency. - Enhance descriptions of security tools and policies.
- Updated support documentation for grammatical accuracy. - Enhanced secrets management documentation to specify token lifespan. - Improved security assessment document to clarify token handling in CI workflows. - Fixed typo in security scanning policy justification section.
neilr81
approved these changes
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary