From 19d45644e8e80b41ce76470810a987fa11ef664a Mon Sep 17 00:00:00 2001
From: frameworks-volunteer
 <266408623+frameworks-volunteer@users.noreply.github.com>
Date: Tue, 21 Apr 2026 14:23:01 -0300
Subject: [PATCH] fix: remediate PR #461 attribution and review findings

- Update contributors frontmatter: mattaereal as author, scode2277 as reviewer
- Replace discontinued keys.mailvelope.com with keyserver.ubuntu.com
- Fix CISA link text to match URL (Software Bill of Materials)
- Update expired nosemgrep example date to 2027-06-01
- Add note about simplified Semgrep rule example
---
 docs/pages/devsecops/code-signing.mdx                     | 6 +++---
 .../continuous-integration-continuous-deployment.mdx      | 6 +++---
 docs/pages/devsecops/repository-hardening.mdx             | 4 ++--
 docs/pages/devsecops/security-testing.mdx                 | 8 +++++---
 4 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/docs/pages/devsecops/code-signing.mdx b/docs/pages/devsecops/code-signing.mdx
index 2d544d42..ea18599e 100644
--- a/docs/pages/devsecops/code-signing.mdx
+++ b/docs/pages/devsecops/code-signing.mdx
@@ -7,9 +7,9 @@ tags:
   - DevOps
 contributors:
   - role: wrote
-    users: [frameworks-volunteer]
+    users: [mattaereal]
   - role: reviewed
-    users: []
+    users: [scode2277]
 ---
 
 import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
@@ -193,7 +193,7 @@ A signature is meaningless if the verifying party cannot obtain the correct
 public key.
 
 - Upload your public key to GitHub (Settings > SSH and GPG keys) and to a
-  public keyserver (keys.openpgp.org, keys.mailvelope.com).
+  public keyserver (keys.openpgp.org, keyserver.ubuntu.com).
 - Use the same key across all platforms so that the identity is consistent.
 - In CI, pin trusted public key fingerprints in the pipeline configuration.
   Reject signatures from unknown keys.
diff --git a/docs/pages/devsecops/continuous-integration-continuous-deployment.mdx b/docs/pages/devsecops/continuous-integration-continuous-deployment.mdx
index 3ca00be7..1e86fc21 100644
--- a/docs/pages/devsecops/continuous-integration-continuous-deployment.mdx
+++ b/docs/pages/devsecops/continuous-integration-continuous-deployment.mdx
@@ -8,9 +8,9 @@ tags:
   - SRE
 contributors:
   - role: wrote
-    users: [frameworks-volunteer]
+    users: [mattaereal]
   - role: reviewed
-    users: []
+    users: [scode2277]
 ---
 
 import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
@@ -336,7 +336,7 @@ to CI/CD pipeline security.
 - [SLSA Specification v1.0](https://slsa.dev/spec/v1.0/)
 - [NIST SP 800-218, Secure Software Development Framework](https://csrc.nist.gov/pubs/sp/800/218/final)
 - [GitHub Docs: Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
-- [CISA: Securing the Software Supply Chain for Developers](https://www.cisa.gov/sbom)
+- [CISA: Software Bill of Materials](https://www.cisa.gov/sbom)
 - [OWASP CI/CD Security Guide](https://owasp.org/www-project-devsecops-guideline/latest/03-CI-CD/)
 
 ---
diff --git a/docs/pages/devsecops/repository-hardening.mdx b/docs/pages/devsecops/repository-hardening.mdx
index 6883df6d..7a328a50 100644
--- a/docs/pages/devsecops/repository-hardening.mdx
+++ b/docs/pages/devsecops/repository-hardening.mdx
@@ -7,9 +7,9 @@ tags:
   - DevOps
 contributors:
   - role: wrote
-    users: [frameworks-volunteer]
+    users: [mattaereal]
   - role: reviewed
-    users: []
+    users: [scode2277]
 ---
 
 import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
diff --git a/docs/pages/devsecops/security-testing.mdx b/docs/pages/devsecops/security-testing.mdx
index aca4818c..f0a4f8be 100644
--- a/docs/pages/devsecops/security-testing.mdx
+++ b/docs/pages/devsecops/security-testing.mdx
@@ -8,9 +8,9 @@ tags:
   - SRE
 contributors:
   - role: wrote
-    users: [frameworks-volunteer]
+    users: [mattaereal]
   - role: reviewed
-    users: []
+    users: [scode2277]
 ---
 
 import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../components'
@@ -161,6 +161,8 @@ rules:
     severity: ERROR
     languages: [javascript, python, solidity]
 
+  # NOTE: This is a simplified example. In production, use a more specific
+  # pattern that matches actual sensitive variables, not any spread argument.
   - id: sensitive-data-logging
     pattern: console.log(...$SENSITIVE)
     message: Do not log sensitive data in production.
@@ -188,7 +190,7 @@ ignore alerts, real findings get missed.
 # nosemgrep: hardcoded-private-key
 # Reason: Test fixtures only — not real keys.
 # Ticket: SEC-1234, suppress until test fixture refactored.
-# Expiry: 2025-06-01
+# Expiry: 2027-06-01
 ```
 
 Every suppression should include: the finding ID, why it is a false positive,