Joshua Lock

Here's a (garishly) annotated copy of the diagram I used to help orient my own reading of the s2c2f spec:

What about changing it to "Display OSS vulnerabilities in developer contribution flow (i.e. Pull Requests)" ? That keeps PRs as the primary recommended mechanism, but allows for slightly different (often...

Thanks @adriandiglio ! AUD-5 is still missing from level 3, but otherwise this LGTM!

I just realised that AUD-5 was removed in #51, so this graphic looks complete. Thanks.

This graphic is great, please submit a PR to include it in the repo 😄

Looking further at the recommended free tools for SCA-5, I'm leaning towards the expectation that the requirement is for automated security scanning tools. If that's the case, I'd be happy...

Thanks Adrian. I'll open a PR to propose alternative phrasing, it's likelier easier discuss through the PR interface.

Thanks for the feedback both. I've added a commit to my PR to map threats to maturity levels (#47) to include the node-ipc relicence.

It would be great to see some supplemental guidance around AUD-5 / Validate the author of your OSS.

💯 yes please