Skip to content

Latest commit

 

History

History
58 lines (47 loc) · 3.79 KB

adding-a-security-policy-to-your-repository.md

File metadata and controls

58 lines (47 loc) · 3.79 KB
Raw
title intro redirect_from versions type topics shortTitle
Adding a security policy to your repository
You can give instructions for how to report a security vulnerability in your project by adding a security policy to your repository.
/articles/adding-a-security-policy-to-your-repository
/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
/github/code-security/security-advisories/adding-a-security-policy-to-your-repository
fpt ghes ghec
*
*
*
how_to
Security policies
Vulnerabilities
Repositories
Health
Add a security policy

About security policies

To give people instructions for reporting security vulnerabilities in your project, you can add a SECURITY.md file to your repository's root, docs, or .github folder. Adding this file to this part(s) of your repository automatically creates a row with a description where people can review it. When someone creates an issue in your repository, they will see a link to your project's security policy.

You can create a default security policy for your organization or personal account. For more information, see "AUTOTITLE."

Tip

To help people find your security policy, you can link to your SECURITY.md file from other places in your repository, such as your README file. For more information, see "AUTOTITLE."

{% ifversion fpt or ghec %} After someone reports a security vulnerability in your project, you can use {% data variables.product.prodname_security_advisories %} to disclose, fix, and publish information about the vulnerability. For more information about the process of reporting and disclosing vulnerabilities in {% data variables.product.prodname_dotcom %}, see "AUTOTITLE." For more information about repository security advisories, see "AUTOTITLE."

{% data reusables.repositories.github-security-lab %} {% endif %} {% ifversion ghes %}

By making security reporting instructions clearly available, you make it easy for your users to report any security vulnerabilities they find in your repository using your preferred communication channel. {% endif %}

For an example of a real SECURITY.md file, see https://github.com/electron/electron/blob/main/SECURITY.md.

Adding a security policy to your repository

{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-security %}

  1. In the "Reporting" section of the sidebar, click {% octicon "law" aria-hidden="true" %} Policy.
  2. Click Start setup.
  3. In the new SECURITY.md file, add information about supported versions of your project and how to report a vulnerability. {% data reusables.files.write_commit_message %} {% data reusables.files.choose-commit-email %} {% data reusables.files.choose_commit_branch %} {% data reusables.files.propose_file_change %}

Further reading

  • "AUTOTITLE"
  • "AUTOTITLE"{% ifversion fpt or ghec %}
  • [{% data variables.product.prodname_security %}]({% data variables.product.prodname_security_link %}){% endif %}