New page idea: Security

[henryiii]

I think we should probably add a page on security. I think it could include the following for starters:

• GitHub Actions security
  • New check family, could be where feat: add zizmor for GitHub Actions security #798 goes
  • Some reasoning for zizmor checks
  • Maybe we could upstream, or mention, my secure-ci skill
• Pre-commit security (warning about hash pinning being something you can spoof)
• Discussion of lock files and latest install dates
• Discussion of cooldowns (dependabot supports them)
• Eventually: SBOMs

Open to ideas!

[agriyakhetarpal]

Thanks! All of these make sense. I think it is also worth including some brief notes about pip-audit and similar CLI tools. Edit: and uv audit too.