Thanks for contributing! This repo is security-sensitive by design: it influences how humans and agents behave.
- Improve
AGENTS.mdrules (clarity, enforceability, modern threats) - Add language/framework-specific secure snippets (in
docs/) - Improve workflows (Scorecard, Dependabot) without weakening security
- Fix typos and improve documentation quality
- No secrets in issues/PRs.
- Security-relevant changes must be justified with threat/risk reasoning.
- Keep diffs small and focused (one concern per PR).
- Open a PR with a clear title and scope.
- Fill out the PR checklist (template will appear automatically).
- Maintainers will review. Security posture must not regress.
If you fork or publish this repo as a template:
- Update the security report URL in
.github/ISSUE_TEMPLATE/config.ymlto your repo's Security tab. - Update
.github/CODEOWNERSwith your maintainer handles (or remove if not using CODEOWNERS). - Ensure GitHub Private Vulnerability Reporting is enabled in repo Settings → Security.
- Markdown: clear headings, short paragraphs, checklists where helpful
- Prefer “MUST/SHOULD/MAY” language for enforceable rules