Skip to content

docs: security vulnerabilities#1776

Merged
joanagmaia merged 2 commits intomainfrom
docs/security-vulnerabilities
Mar 30, 2026
Merged

docs: security vulnerabilities#1776
joanagmaia merged 2 commits intomainfrom
docs/security-vulnerabilities

Conversation

@joanagmaia
Copy link
Copy Markdown
Collaborator

@joanagmaia joanagmaia commented Mar 25, 2026

This pull request enhances the documentation for the Security & Best Practices metrics by adding detailed explanations about the controls assessment process and introducing a comprehensive section on vulnerability scanning and reporting. These updates clarify how security metrics are generated and give users actionable information on interpreting and remediating vulnerabilities.

Additions to security documentation:

  • Added a new "Controls Assessment" section to explain the source and scope of security control assessments, referencing the OpenSSF Baseline project.

Vulnerability reporting and metrics:

  • Introduced a "Vulnerabilities" section that explains how Insights surfaces known vulnerabilities in project dependencies, including data sources, scanning methodology (using OSV-Scanner), and limitations (CVE-only coverage).
  • Described the supported ecosystems and lockfile formats detected by OSV-Scanner, with a link to the official documentation for further details.
  • Documented the key vulnerability metrics displayed, such as open vulnerabilities count, median CVSS score, fix status, and time since last vulnerability.
  • Added descriptions of the vulnerability charts (by severity and by ecosystem) and guidance for remediating vulnerabilities, including how to interpret fix status and next steps for unresolved issues.

@joanagmaia
docs: security vulnerabilities
bf1ace9 
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
Copilot AI review requested due to automatic review settings March 25, 2026 14:56
@joanagmaia joanagmaia self-assigned this Mar 25, 2026
@joanagmaia joanagmaia added the documentation Improvements or additions to documentation label Mar 25, 2026
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Security & Best Practices metric documentation to better explain how Insights produces security-related results, adding an explicit Controls Assessment section and a new Vulnerabilities section describing dependency vulnerability scanning, metrics, charts, and remediation guidance.

Changes:

  • Added documentation describing how control assessments are sourced (OpenSSF Baseline) and what repositories are included/excluded.
  • Added end-user documentation for dependency vulnerability scanning (OSV-Scanner), including supported ecosystems, surfaced metrics, charts, and remediation steps.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread frontend/docs/metrics/security/index.md
@joanagmaia
docs: vendored label and known bun bug
e47fe39 
Signed-off-by: Joana Maia <jmaia@contractor.linuxfoundation.org>
@joanagmaia joanagmaia merged commit ff03ee6 into main Mar 30, 2026
9 checks passed
@joanagmaia joanagmaia deleted the docs/security-vulnerabilities branch March 30, 2026 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@joanagmaia joanagmaia

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joanagmaia