Enabling GitHub security reporting and secret scanning for the organisation

[manics]

Proposed change

GitHub has a feature allowing private reporting of security vulnerabilities. This can be enabled at the organisation level for all repositories including new ones: https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/configuring-private-vulnerability-reporting-for-an-organization

GitHub also supports enabling secret scanning for all repositories at the organisation level:

Alternative options

Do nothing

Who would use this feature?

This enables security vulnerabilities to be reported by anyone with a GitHub account without leaving GitHub. This is easier than sending an email (currently security@ipython) and also means the report is immediately opened against the repository.

Secret scanning seems like a straightforward thing to enable, I can't think of any disadvantages.

(Optional): Suggest a solution

• [ ] Enable GitHub security reports at the org level including for new repos
• [ ] Enable GitHub secret scanning at the org level including for new repos

[consideRatio]

I'm positive towards testing this, thinking it would be a choice we could go back on if we dislike it as well.

Like this we connect the maintainers directly to the notice without involvement of the mailing group. The downside would be if we have a repo that isnt watched at all for notices by anyone. Maybe there could drop in something for an repo-to-be-archived we would miss, but then maybe its fine as well.

[manics]

I think we can handle the potential lack of maintainers on a repo by:

1. As part of the checklist for adding or transferring a repo we ensure the appropriate people are watching it.
2. At regular intervals (e.g. once a year) we review the settings of all repositories, e.g. ensure that at the very least all GitHub org owners are watching all repos.