Status Docs

How We Use GitHub Labels For Security Processes


“Security: Skip” - no need to do a threat analysis for this issue


“Security: Approved” - all the critical threats were found and mitigated
(from the Security Champion PoV)


“Security: Exception” - not all the critical threats were mitigated, but
this issue can be merged anyway as an exception.

Requires:

  • the non-mitigated risks to be linked in the PR/GHI;

  • add an explanation of why it is an exception;

  • PO and TO of the particular team should be aware of this exception.

Last update: 2020-10-26