The security baseline has requirement "An initial set of metadata is established for gaining security insights into the project.." for a project to become incubating. To ease the burden from adopting the baseline, I'm proposing adding a SECURITY_INSIGHTS.yml starter file to project-template. When a new repo is created using the project template, the repo will have a default dependency policy file to use right away, or customize it when needed.

The stater file will use the sample file from Security Insights project.

For existing repos, I'm proposing adding SECURITY_INSIGHTS.yml starter file as a default community health file to organizations' .github.