GitHub Security Gap: Project's SECURITY.md Fails to Document Six Active Security Controls

A critical documentation gap has been exposed in a GitHub project's security posture. The official SECURITY.md file, intended to transparently communicate security practices, lists only two controls while the project's configuration files reveal six are actively running. This discrepancy creates a significant risk of misinformed contributors, auditors, and downstream users about the project's true security hygiene.

The project's `security.yml` and other configuration files show active use of `govulncheck`, `gosec`, `npm audit`, `dependency-review-action`, `Dependabot`, and `Renovate` for lockfile maintenance. However, the public-facing SECURITY.md document only acknowledges the first two. This means four critical security controls—including automated dependency updates and PR blocking for vulnerable dependencies—are functionally active but officially undocumented, creating a hidden layer of security operations.

This oversight signals a potential governance failure where automated security tooling has outpaced internal documentation protocols. For open-source projects, an inaccurate SECURITY.md undermines trust and can mislead security assessments. The fix requires expanding the document to accurately reflect all active vulnerability scanning and dependency management processes, ensuring public transparency matches operational reality.