From 7871cced96ac13d186adc1f1497e4b3b8b45209b Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Tue, 4 May 2021 14:49:38 -0700
Subject: [PATCH] docs(security): add section for tools

---
 docs/SECURITY.md | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index bb24654f..c4e24ddf 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -1,12 +1,28 @@
 # Security Policy
 
+The code-server team (and Coder, the organization) care a lot about keeping the project secure and safe for end-users.
+
+## Tools
+
+We use a combination of tools to help us stay on top of vulnerabilities.
+
+- [dependabot](https://dependabot.com/)
+  - Submits pull requests to upgrade dependencies. We use dependabot's version upgrades as well as security updates.
+- code-scanning
+  - [CodeQL](https://securitylab.github.com/tools/codeql/)
+    - Semantic code analysis engine that runs on a regular schedule (see `codeql-analysis.yml`)
+  - [trivy](https://github.com/aquasecurity/trivy)
+    - Comprehensive vulnerability scanner that runs on PRs into the default branch and scans both our container image and repository code (see `trivy-scan-repo` and `trivy-scan-image` jobs in `ci.yaml`)
+- [`audit-ci`](https://github.com/IBM/audit-ci)
+  - Audits npm and Yarn dependencies in CI (see "Audit for vulnerabilities" step in `ci.yaml`) on PRs into the default branch and fails CI if moderate or higher vulnerabilities(see the `audit.sh` script) are present.
+
 ## Supported Versions
 
 Coder sponsors development and maintenance of the code-server project. We will fix security issues within 90 days of receiving a report, and publish the fix in a subsequent release. The code-server project does not provide backports or patch releases for security issues at this time.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 3.9.3   | :white_check_mark: |
+| Version                                               | Supported          |
+| ----------------------------------------------------- | ------------------ |
+| [Latest](https://github.com/cdr/code-server/releases) | :white_check_mark: |
 
 ## Reporting a Vulnerability