Skip to content

Commit ce23c4e

Browse files
jasonkarnsjasonkarns
committed
Todo placeholders for security policy enhancement
1 parent 0750f8f commit ce23c4e

1 file changed

Lines changed: 17 additions & 0 deletions

File tree

docs/SECURITY.md

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,3 +15,20 @@ This version will be indicated as the "Latest Release" on GitHub Releases. :octo
1515

1616
Use GitHub's built-in reporting mechanism for disclosure.
1717
Go to the Security tab -> Report a vulnerability.
18+
19+
<!-- TODO
20+
21+
We should add some references here to maintainer security.
22+
- requiring maintainers to have MFA set up
23+
- preferring Trusted Publishing for platforms that support it
24+
- + a docs link: https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
25+
26+
- perhaps some references to securing github actions
27+
- https://docs.github.com/en/actions/reference/security/secure-use
28+
- GHA security with linters like https://github.com/zizmorcore/zizmor
29+
- hardening runners with: https://github.com/step-security/harden-runner
30+
- Enabling dependabot (both version and security alerts)
31+
- Enabling code security scanning: https://github.com/testdouble/.github/security
32+
33+
34+
-->

0 commit comments

Comments
 (0)