cjllanwarne
commented
2 months ago @iris-garden I think you make great points! And I agree, across many PRs we probably do want to be analyzing the security impacts at every stage, not just as a one-off "when we're done it will be X" analysis in the ticket... So I guess in my mind the only real reason for using the issue-level review would be for tracking the impact of non-code changes (like configuration updates to production). I will try to make the templates reflect that distinction
For feedback - a couple of potential templates for capturing security impacts at either the issue or PR level.