How We Use GitHub Labels For Security Processes
“Security: Skip” - no need to do a threat analysis for this issue
“Security: Approved” - all the critical threats were found and mitigated
(from the Security Champion PoV)
“Security: Exception” - not all the critical threats were mitigated, but
this issue can be merged anyway as an exception.
the non-mitigated risks to be linked in the PR/GHI;
add an explanation of why it is an exception;
PO and TO of the particular team should be aware of this exception.
Last update: 2022-11-22