Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 29 additions & 4 deletions SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,39 @@ updated, only the latest release should be assumed to be supported.
Do not disclose suspected vulnerabilities in a public issue, discussion, pull
request, or chat channel.

Use GitHub's **Report a vulnerability** option on the repository Security page.
For this source template repository, prefer the private GitHub reporting flow
when it is enabled. If private vulnerability reporting is not enabled, do not
disclose the issue publicly until a private reporting path is configured.
Use GitHub's **Report a vulnerability** button on the repository Security page.
Private vulnerability reporting is the only supported reporting channel for
this repository. Do not use email, public issues, or other channels.

Include the affected component and version, reproduction steps or a proof of
concept, the potential impact, and any suggested mitigation. Do not access,
modify, or retain data that does not belong to you.

We aim to acknowledge a complete report within five business days and will
share progress when practical. Timelines depend on severity and complexity.

## Security features

The following security features are enabled for this repository:

- **Private vulnerability reporting** — enabled; use the **Report a
vulnerability** button described above.
- **Secret scanning** — enabled; GitHub scans commits for known secret
patterns and alerts maintainers on matches.
- **Push protection** — enabled; commits containing detected secrets are
blocked before they reach the repository.
- **Dependabot version updates** — configured in `.github/dependabot.yml`.

### Limitations

This is a source template repository that contains documentation and
configuration files rather than deployable application code. As a result:

- Automated code analysis (for example CodeQL) is not applicable because
there is no compilable or interpretable source code to analyse.
- Dependency scanning applies only to the template's own tooling
dependencies, not to projects created from it.
- Consumers of this template are responsible for configuring equivalent
security features in repositories derived from it. The
[Template setup checklist](TEMPLATE_CHECKLIST.md) includes guidance on
enabling these features.
20 changes: 20 additions & 0 deletions docs/REPOSITORY_MANAGEMENT.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,23 @@ and migrations, and define a rollback approach for risky releases.
Enable only the categories the project will actively moderate. Discussion form
filenames must match category slugs. Move actionable outcomes into issues and
link the originating discussion so decisions remain traceable.

## Security configuration

Enable security features explicitly rather than relying on repository defaults.
Record the intended state of each feature so that reviewers can verify it has
not drifted.

Recommended baseline for repositories created from this template:

| Feature | Recommended state | Notes |
| --- | --- | --- |
| Private vulnerability reporting | Enabled | Required before publishing `SECURITY.md` with a `Report a vulnerability` instruction |
| Secret scanning | Enabled | Available on public repositories and on GitHub Advanced Security |
| Push protection | Enabled | Blocks secrets from entering the repository at push time |
| Dependabot version updates | Configured | Add `.github/dependabot.yml` for each relevant ecosystem |
| Code scanning (CodeQL) | Enable when applicable | Required for repositories with compilable or interpretable source code |

Review security settings after each transfer, visibility change, or
organisation migration, as these operations can reset feature state.
Document any deliberate exceptions and the reason for them.