🐛 Look for organisation default .github security.md files in all the locations they are allowed to be in

[iamamoose]

Signed-off-by: Mark J. Cox mark@awe.com

• Please check if the PR fulfills these requirements

• Tests for the changes have been added (for bug fixes / features)
• [ X] PR title follows the guidelines defined in https://github.com/ossf/scorecard/blob/main/CONTRIBUTING.md#pr-process

• What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

Bug fix

• What is the current behavior? (You can also link to an open issue here)

The default community health files for an organisation can be in one of three directories, but the current check only looks in one of them (the root). Expand the check to all three places as per
https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file
to look in the .github and docs directories of the .github repo.

This fixes scorecards failing to pick up the default Apache policy
https://github.com/apache/.github/blob/main/.github/SECURITY.md

• What is the new behavior (if this is a feature change)?

• Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)

• Other information:

[naveensrinivasan]

Thank you!

[naveensrinivasan]

Can you please fix this

checks/security_policy.go:74: line is 143 characters (lll)
			if strings.EqualFold(name, "security.md") || strings.EqualFold(name, ".github/security.md") || strings.EqualFold(name, "docs/security.md") {
make: *** [Makefile:60: check-linter] Error 1

?

https://github.com/ossf/scorecard/pull/837/checks?check_run_id=3298907938

[iamamoose]

sorry, this is the first time I've written anything for golang so I'm not sure how to structure the multi-line to have it pass the code style check (ok, following the suggestion in the failure message to run gofmt -s on it!)