docs(security): document project members with access to sensitive resources (#27)

hannasdev · web-flow · commit 04a102375c5a · 2026-05-12T21:00:44.000+02:00
Adds a table to SECURITY.md listing project members who hold access to
sensitive CI/CD and repository resources (npm token, deploy key, Snyk token,
repo admin).

Required by OpenSSF Best Practices criterion OSPS-VM-02.01 / active project
member access documentation.

Co-authored-by: Hanna Rosengren &lt;4538260+hannasoderstromdev@users.noreply.github.com&gt;
diff --git a/SECURITY.md b/SECURITY.md
@@ -52,3 +52,9 @@ If you cannot use advisories, contact the maintainer directly through GitHub and
 - We will investigate and validate the report.
 - We will work on a fix and coordinate a responsible disclosure timeline.
 - We will publish a security release note after a fix is available.
+
+## Project Members with Access to Sensitive Resources
+
+| Member | Role | Sensitive Access |
+|--------|------|-----------------|
+| [@hannasdev](https://github.com/hannasdev) | Maintainer | Repository admin, npm publish token (`NPM_TOKEN`), release deploy key (`RELEASE_DEPLOY_KEY`), Snyk token (`SNYK_TOKEN`) |
