New page idea: Security

[henryiii]

I think we should probably add a page on security. I think it could include the following for starters:

• GitHub Actions security feat: add security page, zizmor #798
  • New check family
  • Some reasoning for zizmor checks
  • Maybe we could upstream, or mention, my secure-ci skill
• Pre-commit security (warning about hash pinning being something you can spoof)
• Discussion of lock files and latest install dates
• Discussion of cooldowns (dependabot supports them) docs: add cooldown #820
• Pip audit and uv audit
• Eventually: SBOMs

Open to ideas!

[agriyakhetarpal]

Thanks! All of these make sense. I think it is also worth including some brief notes about pip-audit and similar CLI tools. Edit: and uv audit too.