Skip to content

Commit be03273

Browse files
nedtwiggclaude
andcommitted
Self-document the SECURITY.md audit cadence and failure tracker
Add a callout at the top of SECURITY.md that points readers at the audit workflow and the issues label where failures are tracked. Drop the now-inaccurate "enforced on every PR" line — the audit runs nightly and as a release gate, not on PRs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 26f5c30 commit be03273

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

SECURITY.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
# Security
22

3-
Dormouse is a terminal, so users trust it with shells, source trees, credentials, and local files. The dependency graph and release pipeline is part of the product's security boundary.
3+
> **Audited automatically.** This spec is checked against the repository by [`security-audit.yaml`](.github/workflows/security-audit.yaml) on a 24-hour schedule (07:13 UTC) and as a required gate before every VS Code release. Each failure is filed as an issue labeled [`security-audit-failure`](https://github.com/diffplug/dormouse/issues?q=is%3Aissue+label%3Asecurity-audit-failure) — open ones are live, closed ones are the historical record of what tripped past audits and what changed to clear them.
44
5-
The policies described in this document are enforced on every PR.
5+
Dormouse is a terminal, so users trust it with shells, source trees, credentials, and local files. The dependency graph and release pipeline is part of the product's security boundary.
66

77
## Dependency Supply Chain
88

0 commit comments

Comments
 (0)