NASA-AMMOS · riverma · Jun 2, 2025 · Jun 2, 2025 · Jun 3, 2025 · Jun 3, 2025
diff --git a/docs/guides/software-lifecycle/security/github-security/README.md b/docs/guides/software-lifecycle/security/github-security/README.md
@@ -11,9 +11,10 @@
 **Background:** GitHub offers a suite of security features to help maintainers and developers protect their code and ensure the safety of their repositories. From automatically detecting vulnerabilities in dependencies to scanning for secrets and setting security policies, these tools are essential for any project, especially in today’s security-conscious environment.
 
 **Use Cases:**
-- Being alerted over e-mail or GitHub notifications about known vulnerabilities in your dependencies and having pull-requests automatically created to resolve the issues. 
+- Being alerted over e-mail or GitHub notifications about known vulnerabilities in your dependencies and having pull-requests automatically created to resolve the issues.
 - Being alerted if your dependencies have updated versions available.
-- Being alerted if your commits have potentially harmful secrets or sensitive information within the code - including being blocked from pushing your commits. 
+- Being alerted if your commits have potentially harmful secrets or sensitive information within the code - including being blocked from pushing your commits.
+- Allowing your community to privately report security vulnerabilities to maintainers and repository owners.
 
 ## Prerequisites
 
@@ -24,33 +25,76 @@
 
 ## Quick Start
 
-The fastest way to enable recommended GitHub Security features is to perform it in bulk for _all_ of your repositories within a given organization. Consult [Enabling security features for multiple repositories](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/enabling-security-features-for-multiple-repositories) for details. Organization administrative-level access is required. 
+The fastest way to enable recommended GitHub Security features is to perform it in bulk for _all_ of your repositories within a given organization. Consult [Enabling security features for multiple repositories](https://docs.github.com/en/enterprise-cloud@latest/code-security/security-overview/enabling-security-features-for-multiple-repositories) for details. Organization administrative-level access is required.
 
 We recommend enabling the below features for all your repositories:
 
-![img](https://github.com/NASA-AMMOS/slim/assets/3129134/be02ee5f-74cb-4869-bdf2-020c184516ec)
-
-Specifically:
-- Dependency graphs (select "Enable All")
+- **Private vulnerability reporting** (select "Enable All")
+  - Allows community members to privately report security vulnerabilities
+- **Dependency graphs** (select "Enable All")
   - Select "Automatically enable for new private repositories"
-- Dependabot Alerts (select "Enable All")
+- **Dependabot Alerts** (select "Enable All")
+  - Select "Automatically enable for new repositories"
+- **Dependabot Security Updates** (select "Enable All")
   - Select "Automatically enable for new repositories"
-- Dependabot Security Updates (select "Enable All")
+- **Secret Scanning** (select "Enable All")
   - Select "Automatically enable for new repositories"
-- Code Scanning (select "Enable All")
-  - Select the default "CodeQL high-precision queries" option
+  - Enable "Push protection" to block commits containing secrets
+
+⬇️ **Use our GitHub Security Settings automation script:** For automated configuration of security settings on individual repositories, you can also use our [GitHub Security Settings Script](pathname:///assets/software-lifecycle/security/github-security/gh-security-settings.py).
+
+If you do not have organizational permissions or if you wish to customize security features per repository, see our Step-by-Step guide below for repository-specific guidance.
 
-If you do not have organizational permissions or if you wish to customize security features per repository, see our Step-by-Step guide below for repository-specific guidance. 
-
 ## Step-by-Step Guide per Repository
 
-1. **Set Up Dependabot:**
+### Option A: Using the Automation Script
+
+For automated setup, use our [GitHub Security Settings Script](pathname:///assets/software-lifecycle/security/github-security/gh-security-settings.py):
+
+1. **Prerequisites:**
+   - Python 3.6+ with `requests` and `rich` packages installed
+   - GitHub Personal Access Token with required permissions (repo, security_events, admin:repo_hook)
+
+2. **Basic Usage:**
+   ```bash
+   # Check current security settings
+   python gh-security-settings.py -o OWNER -r REPO -t TOKEN
+
+   # Enable all security features
+   python gh-security-settings.py -o OWNER -r REPO -t TOKEN -a enable
+
+   # Enable specific features only
+   python gh-security-settings.py -o OWNER -r REPO -t TOKEN -a enable -f dependabot-alerts
+   ```
+
+3. **Available Features:**
+   - `all` - All supported security features
+   - `private-reporting` - Private vulnerability reporting
+   - `dependency-graph` - Dependency graph
+   - `dependabot-alerts` - Dependabot vulnerability alerts
+   - `dependabot-updates` - Dependabot security updates
+   - `secret-scanning` - Secret scanning
+   - `secret-protection` - Secret scanning push protection
+
+### Option B: Manual Configuration
+
+1. **Enable Private Vulnerability Reporting:**
    - Navigate to your repository and click on the `Settings` tab.
    - From the left sidebar, select the `Code security and analysis` menu.
+   - Under the "Private vulnerability reporting" section:
+     - Click the "Enable" button to allow your community to privately report potential security vulnerabilities to maintainers and repository owners.
+
+2. **Set Up Dependency Graph:**
+   - In the `Code security and analysis` menu from the `Settings` tab:
+     - Under the "Dependency graph" section, click "Enable" to understand your dependencies.
+     - This feature is automatically enabled for public repositories and must be enabled for private repositories.
+
+3. **Set Up Dependabot:**
+   - In the `Code security and analysis` menu:
    - Under the "Dependabot" section:
-     - We recommend enabling Dependabot alerts to stay informed about insecure dependencies in your project.
-     - For added security, we suggest turning on Dependabot security updates to automatically generate pull requests for known vulnerabilities in your dependencies.
-     - We also recommend enabling Dependabot version updates _if you are using a package manager for your project_. This will help you keep your dependencies up-to-date. To configure Dependabot version updates:
+     - **Dependabot alerts:** Enable to stay informed about insecure dependencies in your project.
+     - **Dependabot security updates:** Enable to automatically generate pull requests for known vulnerabilities in your dependencies.
+     - **Dependabot version updates:** Enable if you are using a package manager for your project. This will help you keep your dependencies up-to-date. To configure Dependabot version updates:
        1. Create a `.github/dependabot.yml` file in your repository.
        2. Specify the package-ecosystem, directory, schedule and branch to update. For example, the below demonstrates a Python [dependabot.yml](https://github.com/NASA-AMMOS/slim-starterkit-python/blob/main/.github/dependabot.yml) example from the [SLIM Python Starter Kit](https://nasa-ammos.github.io/slim/docs/guides/software-lifecycle/application-starter-kits/python-starter-kit/):
           ```yml
@@ -70,15 +114,7 @@ If you do not have organizational permissions or if you wish to customize securi
      - Head back to the main page of your repository.
      - Click on the `Security` tab. Here, you can select `Dependabot alerts` to view security alerts, and you can see version updates in the `Pull requests` tab labeled with "Dependabot".
 
-
-2. **Enable Code Scanning:**
-   - In the `Code security and analysis` menu from the `Settings` tab, click the "Set Up" or enable the following workflows:
-     - _CodeQL Analysis workflow:_ a free tool provided by GitHub that scans your code for vulnerabilities across a variety of languages. Simply choose a CodeQL Analysis template (default is acceptable) and follow the instructions.
-   - To view Code scanning alerts:
-     - Return to the repository main page.
-     - Click on the `Security` tab and select `Code scanning alerts`.
-
-3. **Enable Secret Scanning:**
+4. **Enable Secret Scanning:**
    - In the `Code security and analysis` menu from the `Settings` tab:
      - Click on the `Secret scanning` enable button.
      - We recommend enabling "Push protection" for blocking commits containing secrets
@@ -94,12 +130,12 @@ If you do not have organizational permissions or if you wish to customize securi
 
 - **Q: Are these security features available on GitHub Enterprise?**
 
-  A: It depends on your institution's particular version of GitHub deployed. You'll have to check your Settings tab to view the features that are provided. GitHub.com is the most up-to-date version we recommend for. 
+  A: It depends on your institution's particular version of GitHub deployed. You'll have to check your Settings tab to view the features that are provided. GitHub.com is the most up-to-date version we recommend for.
 
 - **Q: If I receive security alerts, what should I do and how soon should I act?**
 
   A: When you receive a security alert, it indicates a potential vulnerability in your repository. First, review the details of the alert to understand the severity and the affected component. Address critical vulnerabilities immediately, as they can pose a significant risk to your project. For less severe alerts, plan to address them in a timely manner. Always keep in mind that the sooner you act on security alerts, the better you can protect your code and users from potential threats.
-  
+
 ## Credits
 
 **Authorship:**
@@ -109,7 +145,7 @@ If you do not have organizational permissions or if you wish to customize securi
 **Acknowledgements:**
 - GitHub for providing the security features and related documentation. See [GitHub’s Security Features](https://docs.github.com/en/code-security) to access an overview of the suite of security features GitHub provides for repositories.
 - [OWASP DevSecOps Guideline](https://owasp.org/www-project-devsecops-guideline/latest/) for providing a Shift Left strategy to secure all phases of development.
-  
+
 ## Feedback and Contributions
 
 We welcome feedback and contributions to help improve and grow this guide. Please see our [contribution guidelines](https://nasa-ammos.github.io/slim/docs/contribute/contributing/).