Hey team! 👋

As discussed recently, here’s a coordinated effort to adopt security best practices 🔐

✅ Current PRs

• Configure Dependabot Renovate: Add dependabot #6029 Add Renovate #6039
• Add Dependency Review tool: feat: add dependency review tool #6031
• List security team members: Account for governance and maturity stage transition #6036
• Add a Threat Model: security: Include a threat model #6026
• Include CNA Escalation in the SECURITY.md: docs: add security escalation policy #6025
• Add Incident Response Plan (IRP): Incident Response Plan #6028
• Proactively report the OSSF Scorecard results: Add support for OSSF scorecard reporting #6030
• Enable CodeQL: feat: add CodeQL #6032

💬 Open Questions

• In the IRP is included a reference to the Security Triage Team. I will start to work on a proposal to define that team responsibilities and resources (slack channel, private repo...) as described in the IRP proposal (Incident Response Plan #6028).

🔖 Important

Let’s use this thread to discuss general Security Best Practices topics, and keep implementation details within each PR for better tracking and organization.