SECURITY-INSIGHTS.yml implementation

[luigigubello]

Hi 👋 as a project in the working group "Identifying Security Threats", we are working on the SECURITY-INSIGHTS.yml specification. SECURITY INSIGHTS would like to provide information regarding security posture and practices in place in an open-source project in both human-readable and machine-readable format (YAML). The original idea was to create something like security.txt, but containing more information and evidence. In the last months, we collected feedback from OpenSSF Slack channels and the community (Twitter), and now we have a first version that should be enough mature to be used. We would like to introduce this specification in some of the OpenSSF repositories (list at the bottom) to see how the community welcomes this news and how we can improve the specification. So, could we introduce SECURITY-INSIGHTS.yml in this repo? I can proceed to fill out the YAML (here is a sample) and prepare a PR by asking you for a review. Introducing this specification in the repo of OpenSSF might help to spread it into the community.

Repos where would be nice to introduce SECURITY-INSIGHTS.yml :

• https://github.com/ossf/criticality_score
• https://github.com/ossf/package-analysis
• https://github.com/ossf/scorecard
• https://github.com/ossf/fuzz-introspector
• https://github.com/ossf/allstar

Let me know :)