chore: Add initial SECURITY.md #1144
Conversation
SECURITY.md
Outdated
| Security issues relating to Node.js project should follow the process documented on <https://nodejs.org/en/security/>. | ||
|
|
||
| CVEs for the base image packages should be reported to those repositories. Nothing to address those CVEs is in the hands of this repos maintainers. | ||
| When base images are patched, the images are rebuilt and rolled out to the Docker hub without intervention by this repo. |
There was a problem hiding this comment.
Do we have some reference info links for this?
There was a problem hiding this comment.
I didn't see anything skimming the readme, I believe this is all advice from issue comments.
@tianon is there somewhere to point documentation-wise?
There was a problem hiding this comment.
https://github.com/docker-library/faq/#why-does-my-security-scanner-show-that-an-image-has-cves:
We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is
FROMthem will also be rebuilt (as described in the projectREADME.mdfile).
There was a problem hiding this comment.
Thanks @yosifkit how does this look now?
Just an initial pass to get something up