chore adding security.md, fix pr template and ci validate (github#84)

Signed-off-by: Ivan Pedrazas <[email protected]>

Author: ipedrazas

.github/PULL_REQUEST_TEMPLATE/mcp-submission.md renamed to .github/PULL_REQUEST_TEMPLATE.md

@@ -25,4 +25,5 @@ assignees: ""
 
 - [ ] This server meets the basic requirements listed above
 - [ ] I understand this will undergo automated and manual review.
-- [ ] I have tested the MCP Server in Docker Desktop
+- [ ] I have tested the MCP Server using `task validate -- --name SERVER_NAME`
+- [ ] I have built the MCP Server using `task build -- --tools SERVER_NAME`

.github/SECURITY.md

@@ -0,0 +1,36 @@
+# Security Policy
+
+The maintainers of Docker MCP Registry take security seriously. If you discover
+a security issue, please bring it to their attention right away!
+
+## Reporting a Vulnerability
+
+Please **DO NOT** file a public issue, instead send your report privately
+to [[email protected]](mailto:[email protected]).
+
+Reporter(s) can expect a response within 72 hours, acknowledging the issue was
+received.
+
+## Review Process
+
+After receiving the report, an initial triage and technical analysis is
+performed to confirm the report and determine its scope. We may request
+additional information in this stage of the process.
+
+Once a reviewer has confirmed the relevance of the report, a draft security
+advisory will be created on GitHub. The draft advisory will be used to discuss
+the issue with maintainers, the reporter(s), and where applicable, other
+affected parties under embargo.
+
+If the vulnerability is accepted, a timeline for developing a patch, public
+disclosure, and patch release will be determined. If there is an embargo period
+on public disclosure before the patch release, the reporter(s) are expected to
+participate in the discussion of the timeline and abide by agreed upon dates
+for public disclosure.
+
+## Accreditation
+
+Security reports are greatly appreciated and we will publicly thank you,
+although we will keep your name confidential if you request it. We also like to
+send gifts - if you're into swag, make sure to let us know. We do not currently
+offer a paid security bounty program at this time.

.github/workflows/ci.yaml

@@ -8,19 +8,19 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Needed for diffing
-      
+
       - name: Install Go
         uses: actions/setup-go@v5
         with:
           cache-dependency-path: go.sum
           go-version-file: go.mod
-      
+
       - name: Install Task
         uses: arduino/setup-task@v2
         with:
           version: 3.x
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-      
+
       - name: Get changed servers
         shell: bash
         run: |
@@ -34,10 +34,11 @@ jobs:
           while IFS= read -r file; do
             dir=$(dirname "$file")
             name=$(basename "$dir")
+            task validate -- --name $name
             task build -- --tools --pull-community $name
             echo "--------------------------------"
             task catalog -- $name
             echo "--------------------------------"
             cat catalogs/$name/catalog.yaml
             echo "--------------------------------"
-          done < changed-servers.txt
+          done < changed-servers.txt