Update SECURITY-INSIGHTS

[aaguiarz]

Automated update of SECURITY-INSIGHTS.yml file

Summary by CodeRabbit

• Documentation

  • Updated security policy link to SECURITY.md.
  • Clarified wording and grammar in assessment notes and tool descriptions (e.g., “repo” to “repository”, hyphenation fixes).

• Chores

  • Restructured security insights team listings to a top-level member list.
  • Removed an unused security tool entry.
  • Cleaned up header comments in security insights configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Edits to .github/SECURITY-INSIGHTS.yml: removed two header comments; replaced repository.core-team with a top-level list of six members; updated documentation.security-policy URL to SECURITY.md; adjusted several comment strings (assessments, Dependabot, Snyk); and removed the Socket tool entry from repository.security.tools.

Changes

Cohort / File(s)	Summary of Changes
Security Insights config updates .github/SECURITY-INSIGHTS.yml	- Removed two header comment lines - Replaced repository.core-team with a top-level members list (same fields) - Updated documentation.security-policy to .../SECURITY.md - Tweaked text in assessments.self.comment (hyphen/wording) - Changed "repo" to "repository" in Dependabot and Snyk comments - Removed Socket from repository.security.tools

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Update SECURITY-INSIGHTS #1076 — Also modifies .github/SECURITY-INSIGHTS.yml with overlapping changes (core-team structure, security-policy URL, security tools/comments).

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Update SECURITY-INSIGHTS" is concise and directly reflects the primary change—an automated update to the SECURITY-INSIGHTS.yml file—so it accurately identifies the affected artifact and purpose of the PR. It is short, clear, and avoids extraneous detail, making it suitable for a quick scan of PR history. The title is appropriately scoped for this changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Preview Action v1.6.2
🚀 View preview at https://openfga.github.io/openfga.dev/pr-preview/pr-1111/
Built to branch gh-pages at 2025-09-18 23:06 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/SECURITY-INSIGHTS.yml (2)

17-41: Core team entries look consistent; confirm public PII exposure is intended.

Member list, fields, and booleans look fine. Please confirm all listed emails are okay to publish in a public repo (spam/PII risk). If not, prefer a shared/security mailing list alias.

---

59-59: Fix typo and naming: “join” → “joint”; “TAG-Security” → “TAG Security”.

Use the canonical CNCF TAG name and correct grammar.

Apply:

-        comment: OpenFGA has completed a CNCF security join assessment with CNCF TAG-Security
+        comment: OpenFGA has completed a CNCF security joint assessment with CNCF TAG Security

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd90a37 and c937fb6.

📒 Files selected for processing (1)

• .github/SECURITY-INSIGHTS.yml (4 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: deploy-preview
• GitHub Check: Test deployment
• GitHub Check: markdown-link-check-md
• GitHub Check: Run Checks

🔇 Additional comments (2)

.github/SECURITY-INSIGHTS.yml (2)

71-71: LGTM: clearer Dependabot comment.

---

81-81: LGTM: clearer Snyk comment.

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Verify SECURITY.md path exists on main.

Link casing changed; likely correct. Please verify the file exists.

Run:

Also consider updating header.last-updated/last-reviewed to 2025-09-18 to reflect this change.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
for url in \
  https://raw.githubusercontent.com/openfga/openfga.dev/main/SECURITY.md \
  https://raw.githubusercontent.com/openfga/openfga.dev/main/security.md
do
  code=$(curl -sI "$url" | awk 'NR==1{print $2}')
  echo "$code  $url"
done

Length of output: 151

---

Fix broken security-policy link (SECURITY.md missing on main)

Verification: both checked URLs returned 404:

• https://raw.githubusercontent.com/openfga/openfga.dev/main/SECURITY.md
• https://raw.githubusercontent.com/openfga/openfga.dev/main/security.md

Actions:

• Add SECURITY.md to the repo root on main OR update .github/SECURITY-INSIGHTS.yml (line 52) to point to the correct security-policy URL/path.
• Set header.last-updated / last-reviewed to 2025-09-18 after the change.

🤖 Prompt for AI Agents

.github/SECURITY-INSIGHTS.yml around line 52: the security-policy URL points to
https://github.com/openfga/openfga.dev/SECURITY.md which 404s on main; fix by
either adding a SECURITY.md file to the repo root on main or updating the
security-policy value to the correct existing path/URL (e.g., point to the
lowercase security.md or the raw URL that works), and after making that change
set header.last-updated and header.last-reviewed to 2025-09-18.