ST015: HasSecurityPolicy
Overview
| Property | Value |
|---|---|
| ID | ST015 |
| Name | HasSecurityPolicy |
| Group | structure |
| Severity | NOTE |
Description
Checks that a SECURITY.md file exists in the package root or .github/ directory.
A security policy documents how users and security researchers should report vulnerabilities responsibly. This is important for:
- Providing a clear channel for vulnerability reports
- Avoiding public disclosure of security issues before fixes are available
- Building trust with users who depend on your package
- Meeting requirements for security-focused organizations and audits
What it checks
The check looks for a security policy file in these locations:
SECURITY.md(in package root).github/SECURITY.md(GitHub’s default location)
How to fix
Create a SECURITY.md file in your package root:
# Security Policy
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 2.x | :white_check_mark: |
| 1.x | :x: |
## Reporting a Vulnerability
If you discover a security vulnerability, please report it responsibly:
1. **Do not** open a public issue
2. Email the maintainers directly at [security@example.com]
3. Include a detailed description of the vulnerability
4. Allow time for the issue to be addressed before public disclosure
We will acknowledge receipt within 48 hours and provide a detailed response
within 7 days indicating the next steps.
## Security Updates
Security updates will be released as patch versions. We recommend always
running the latest version.Auto-fix
This check supports auto-fix. Run:
pycmdcheck fix --only ST015This creates a template SECURITY.md that you can customize with your contact information and supported versions.
Configuration
Skip this check
[tool.pycmdcheck]
skip = ["ST015"]CLI
pycmdcheck --skip ST015