Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossaryContacting Support and Reporting Bugs
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidanceDetermining Control Applicability
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: AzureAuto Checks: GCPAuto Checks: GitHubEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
GitHub Auto Checks Detailed Explanations
Ensure secret scanning is enabled to detect sensitive dataEnsure code owner approval is required for owned code changesEnsure at least two approvals are required before merging codeEnsure branches are deleted automatically after mergingEnsure unresolved conversations block mergesEnsure force push is disabled for all branchesEnsure admins are subject to branch protection rulesEnsure a CODEOWNERS file exists in the repositoryEnsure inactive repositories are archivedEnsure all required status checks pass before mergingEnsure linear history is enforced on the default branchEnsure branch protection is enforced on the default branchEnsure the default branch cannot be deletedEnsure vulnerability scanning is enabled for repository dependenciesEnsure public repositories include a SECURITY.md fileEnsure all organization members have MFA enabledEnsure only signed commits are accepted

Ensure public repositories include a SECURITY.md file

Framework Reference: A.8.25 (Secure Development Lifecycle) Integration: GitHub – Repository Configuration

Why this matters

A SECURITY.md file defines your project’s security policy and provides instructions for responsibly reporting vulnerabilities.
This file is essential for maintaining transparent communication with external users and security researchers, especially in public repositories.

Having a clear and accessible security policy ensures that:

  • Vulnerabilities are reported through the correct channels
  • Disclosure follows responsible, standardized procedures
  • The organization demonstrates compliance with security best practices and industry standards

Without it, users might disclose vulnerabilities publicly or fail to report them altogether, increasing risk exposure.

What this check does

This check verifies that a SECURITY.md file exists in one of the recognized locations within the repository:

  • The repository root (/SECURITY.md)
  • The .github/ directory (/.github/SECURITY.md)
  • The docs/ directory (/docs/SECURITY.md)

GitHub automatically detects this file and displays its contents in the repository’s Security tab under Reporting a vulnerability.

How to fix it

From the GitHub Web Console

  1. Navigate to your repository on GitHub.
  2. Go to the Security tab.
  3. Under Reporting a vulnerability, click Add a security policy.
  4. GitHub will guide you to create a SECURITY.md file in the .github/ directory by default.
  5. Add content that includes:
    • How to report a security vulnerability
    • Expected response timelines
    • Disclosure and remediation policies
    • Contact information or submission process (e.g., via email or security form)
  6. Commit the file to the default branch.

Alternatively, you can manually create the file in the repository root or .github/ directory with relevant content and push it via Git.

Exceptions

  • The SECURITY.md file is optional for private repositories, but strongly recommended.
  • The file content and contact process should comply with your organization’s vulnerability disclosure policy.
  • GitHub automatically prioritizes the SECURITY.md file in the .github/ directory if multiple copies exist.

Further Resources

 

Was this article helpful?

Powered by Product Fruits