BUG: Security policy at the organization level is not picked up

[rajbos]

Describe the bug
Security policy at the organization level is not picked up. I have one on the org level here, but in my repository I have an alert that there is no security policy.

From the changes described in this PR I would expect that the org level setup would also be taken into account.

Expected behavior
The check should also validate the org level configuration.

Additional context
Using the ossf/scorecard-action for running the checks.

[spencerschrock]

I'm seeing this output here:
https://github.com/devops-actions/load-used-actions/actions/runs/3733073037/jobs/6333373413#step:4:1116

               "ruleId": "SecurityPolicyID",
               "ruleIndex": 8,
               "message": {
                  "text": "score is 9: security policy file detected:\nWarn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy: github.com/devops-actions/.github/.github/SECURITY.md\nClick Remediation section below to solve this issue"
               },

It's picking up the file, and scoring it a 9/10. The message in your SARIF output is talking about the missing 1/10 due to a heuristic introduced in #2195 which is looking for:

	// pattern for 1 to 4 digit numbers
	// or
	// strings 'disclos' as in "disclosure" or 'vuln' as in "vulnerability"
	reDIG := regexp.MustCompile(`(?i)(\b*[0-9]{1,4}\b|(Disclos|Vuln))`)

The easiest fix would be to tweak your security policy to satisfy the heuristic. For example:

Please disclose any issues or vulnerabilities responsibly by emailing

The other option is to discuss relax/remove the heuristic, which was brought up in #2195, but was left in at the time.

[rajbos]

Ah, that is indeed extra information that I missed when looking at the alert, because of the text rendering in the alerts it's rather hidden at the bottom. That will be improved by #125 so that will definitely help. The rest was me not reading the whole text :-).

Closing this, as it will be improved.