idunbarh
commented
1 month ago I think having template files would be great. It helps with the dogfooding of the security baseline within OpenSSF and provides an easy place for people to see an "ideal" SECURITY_INSIGHTS.yml.
When I heard about needing a SECURITY_INSIGHTS.yml file for the security baseline, my first question was "is there one I can tailor for my project?".
The security baseline has requirement "An initial set of metadata is established for gaining security insights into the project.." for a project to become incubating. To ease the burden from adopting the baseline, I'm proposing adding a SECURITY_INSIGHTS.yml starter file to project-template. When a new repo is created using the project template, the repo will have a default dependency policy file to use right away, or customize it when needed.
The stater file will use the sample file from Security Insights project.
For existing repos, I'm proposing adding SECURITY_INSIGHTS.yml starter file as a default community health file to organizations' .github.