From 3b0f32e574c5075b7a0643f6cd96a2258d0e4305 Mon Sep 17 00:00:00 2001
From: Dominic Evans <dominic.evans@uk.ibm.com>
Date: Wed, 25 Oct 2023 14:48:19 +0100
Subject: [PATCH 1/2] fix(doc): add SECURITY.md for vuln reporting

Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
---
 SECURITY.md | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..b2f6e61fe
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,11 @@
+# Security
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+The easiest way to report a security issue is privately through GitHub [here](https://github.com/IBM/sarama/security/advisories/new).
+
+See [Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) for full instructions.
+
+Alternatively, you can report them via e-mail or anonymous form to the IBM Product Security Incident Response Team (PSIRT) following the guidelines under the [IBM Security Vulnerability Management](https://www.ibm.com/support/pages/ibm-security-vulnerability-management) pages.

From 7ae18cb14a601d256824b2c4f541c7ee9e2669e2 Mon Sep 17 00:00:00 2001
From: Dominic Evans <dominic.evans@uk.ibm.com>
Date: Wed, 25 Oct 2023 14:55:10 +0100
Subject: [PATCH 2/2] fix(ci): ignore markdown changes for dep review

No need to run this action when only markdown is changed

Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
---
 .github/workflows/dependency-review.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 93304df00..809ccedbc 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -7,7 +7,12 @@
 #
 # Source repository: https://github.com/actions/dependency-review-action
 name: 'Dependency Review'
-on: [pull_request]
+on:
+  pull_request:
+    branches:
+    - "**"
+    paths-ignore:
+    - '**/*.md'
 
 permissions:
   contents: read  # for actions/checkout to fetch code