From ff96ffd2e1c9110f3201f7d53d49d0cb1461eb7a Mon Sep 17 00:00:00 2001
From: david-leifker <114954101+david-leifker@users.noreply.github.com>
Date: Mon, 19 Aug 2024 07:16:51 -0500
Subject: [PATCH] docs(readme): add security notes (#11196)

---
 README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 3ac0668918f70..2335c7c4728b0 100644
--- a/README.md
+++ b/README.md
@@ -173,6 +173,23 @@ Here are the companies that have officially adopted DataHub. Please feel free to
 
 See the full list [here](docs/links.md).
 
+## Security Notes
+
+### Multi-Component
+
+The DataHub project uses a wide range of code which is responsible for build automation, documentation generation, and 
+include both service (i.e. GMS) and client (i.e. ingestion) components. When evaluating security vulnerabilities in
+upstream dependencies, it is important to consider which component and how it is used in the project. For example, an 
+upstream javascript library may include a Denial of Service (DoS) vulnerability however when used for generating 
+documentation it does not affect the running of DataHub itself and cannot be used to impact DataHub's service. Similarly, 
+python dependencies for ingestion are part of the DataHub client and are not exposed as a service.
+
+### Known False Positives
+
+DataHub's ingestion client does not include credentials in the code repository, python package, or Docker images.
+Upstream python dependencies may include files that look like credentials and are often misinterpreted as credentials
+by automated scanners.
+
 ## License
 
 [Apache License 2.0](./LICENSE).