As someone who regularly needs to report security vulnerabilities to projects hosted on Github, I find it incredibly annoying that I can't create one of these 'maintainer advisories' (or just a regular issue that's non-public) as an outsider.
These 'security.md' files would work for me just as well to define a security contact, but I've never come across one of these in the wild... so I end up wasting my time hunting down maintainers and their email addresses, when everyone involved would have a much easier time if it were all handled through Github by allowing everyone to create a (draft) 'maintainer advisory'.
Lots of title editorializing recently. I wonder what's up. One thing I've always liked about HN is that title editorializing isn't really viewed kindly. So why now?
will be interesting to see what they do that goes beyond the acquisition of semmle. it is great to see how quickly they have been able to integrate that work.
Dependabot is really nice. I activated it on my repo and it create a PR with the updated dependency, showing the "crowd sourced" chance it could be integrated safely.
Semmle(LGTM) could be useful on a big codebase but for a simple webapp it didn't provide anything interesting.
It's frustrating to set up OWASP scans over and over again. Anything Github or Gitlab or whomever can do to normalize audits (please, by all means check for CVEs on my dependencies, too) and static analysis, it's great. Make it something I can enable on my PR/MR workflow.
Now do the same with Dependency Scanning, Container Scanning, DAST and License Compliance if needed.
Note that Auto-DevOps enables this automatically.
On a general note, I agree with you, Security should be available out of the box for everyone. I created last month this issue for this purpose, feel free to comment or watch it.
It's a feature, not a market play. GitHub wants to be a default for all your most basic CI/CD uses, but they're not taking on all of software security. This is a huge market, they're implementing like 1 feature of 1 use case.
It leverages GitHub repositories as it's data and customer base. The integration and network effect means the crowd sourcing works for everyone using GitHub, which is used more thoroughly than snyk.io (which I've never heard of)
These 'security.md' files would work for me just as well to define a security contact, but I've never come across one of these in the wild... so I end up wasting my time hunting down maintainers and their email addresses, when everyone involved would have a much easier time if it were all handled through Github by allowing everyone to create a (draft) 'maintainer advisory'.