Contributing to SF²¶
Thank you for your interest in contributing to the Software Factory Security Framework (SF²)! This framework is designed as a public resource for security leaders and practitioners.
Quick Start¶
The easiest way to contribute is to:
- Click "Edit this page" on any documentation page
- Make your changes in the GitHub web editor
- Submit a pull request with a clear description
Types of Contributions¶
We welcome several types of contributions:
✏️ Content Improvements¶
- Clarifying existing concepts
- Adding examples or use cases
- Correcting errors or outdated information
- Improving readability and structure
🔗 Framework Relationships¶
- Documenting how SF² relates to other security frameworks
- Adding implementation mappings
- Sharing integration experiences
💡 Use Cases & Stories¶
- Real-world application examples
- Success stories (anonymized if needed)
- Lessons learned from implementation
🐛 Issues & Feedback¶
- Reporting unclear sections
- Suggesting new topics
- Identifying gaps in coverage
Guidelines¶
Content Standards¶
Keep Content Universal
Contributions should be broadly applicable to all organizations. Do not include:
- Organization-specific internal details or processes
- Proprietary information or trade secrets
- Customer/partner sensitive data
- Confidential metrics or implementation details
Writing Style¶
- Executive-friendly: Write for security leaders, not practitioners alone
- Actionable: Provide clear guidance, not theory
- Examples-driven: Illustrate concepts with concrete examples
- Scale-agnostic: Ensure content applies across organization sizes
Tone & Voice¶
The framework uses:
- Direct, pragmatic language - Avoid jargon where possible
- Strategic framing - Focus on business outcomes and tradeoffs
- Authentic voice - Professional but not corporate-speak
- Empathy - Acknowledge the challenges security leaders face
House Style¶
A few house rules keep 100-plus pages reading as one voice. The glossary is the source of truth for every term.
- Match the glossary exactly. Use the canonical names: Universal Security Conditions (never "stewardship areas" or "responsibilities"), Blast Radius for the reach axis (never "operational complexity"), Operational Readiness graded Lower to Higher (never "Low/High"), and the four quadrants Studio, Lean, Craft, Mass. If a term is not in the glossary, it probably needs to be added there before you use it.
- No em-dashes. Use commas, colons, parentheses, or rewrite the sentence. Arrows (→) are welcome for showing progression or mapping.
- Say it directly. Phrasings like "it's not X, it's Y" or "X doesn't Y, it Zs" read as filler when they stack up. State the point once, plainly.
- Blank line before every list. Always leave a blank line between a paragraph and the list that follows it. Without it, the list renders as literal dashes instead of bullets.
- Write for the decision-maker. The reader is a VP or CISO deciding where to spend, not a practitioner following steps. Lead with the tradeoff, not the tactic.
How to Contribute¶
Option 1: Quick Edits (Recommended for Minor Changes)¶
- Navigate to the page you want to edit
- Click "Edit this page" button (pencil icon)
- Make your changes in the web editor
- Provide a clear commit message
- Submit the pull request
Option 2: Full Repository Workflow (For Larger Changes)¶
# Clone the repository
git clone https://github.com/juliedavila/software-factory-security-framework.git
cd software-factory-security-framework
# Create a feature branch
git checkout -b feature/your-contribution
# Install dependencies
pip install -r requirements.txt
# Make your changes to docs/*.md files
# Preview locally
mkdocs serve
# Visit http://127.0.0.1:8000
# Commit your changes
git add docs/
git commit -m "feat: add <description of your changes>"
# Push and create pull request
git push origin feature/your-contribution
Option 3: Issues & Discussions¶
Can't contribute directly but have feedback?
- Open an Issue
- Use issue templates for:
- Content suggestions
- Error reports
- New topic requests
Preview and Validate Locally¶
For anything larger than a one-line fix, preview and validate before you open the PR. The site builds with --strict, so a broken link or a missing heading anchor fails CI. Catching it locally is faster than a round trip.
With Docker (matches the CI environment exactly, no local Python needed):
# Live preview with hot reload at http://localhost:8000
docker compose up serve
# Strict build — fails loudly on any broken link or missing anchor.
# "Documentation built" means you are clear to open the PR.
docker compose run --rm build
With a local Python toolchain instead:
pip install -r requirements.txt
mkdocs serve # preview at http://127.0.0.1:8000
mkdocs build --strict # validate; must pass before you open the PR
Pull Request Guidelines¶
PR Title Format¶
Use conventional commit format:
feat: add new section on ...fix: correct typo in ...docs: improve clarity in ...refactor: reorganize ...
PR Description¶
Include:
- What: Brief description of the change
- Why: Motivation or problem being solved
- Impact: Who benefits from this change
Review Process¶
- Automatic checks run on every PR (validation, linting, build verification)
- Content review by framework maintainers
- Feedback & iteration - we'll work with you to refine contributions
- Merge - approved PRs are merged to master and deployed automatically
What CI Checks¶
Every push to master runs the deploy pipeline, which:
- Builds the site with
--strict, failing on any broken link or missing heading anchor - Builds and gates the downloadable PDF (page count plus embedded brand fonts)
- Deploys the built site to sf2framework.com on success
CI confirms that the site builds. It does not police terminology or voice for you, so please self-check against the House Style rules and the glossary before you open a PR. A local docker compose run --rm build catches the structural problems ahead of time.
Content Organization¶
Directory Structure¶
docs/
├── index.md # Landing page
├── executive-summary.md # High-level overview
├── 01-foundation/ # Core concepts
├── 02-stewardship/ # 5 universal security conditions
├── 03-positioning/ # Strategic positioning model
├── 04-investment/ # Investment portfolio framework
├── 05-context/ # Contextual modifiers
├── 06-implementation/ # Quadrant-specific guides
├── 07-relationships/ # Framework mappings
├── 08-use-cases/ # Application examples
├── 09-ai-integration/ # AI tool integration guides
├── 10-coadaptive/ # Coadaptive Security Layer (capstone)
└── appendix/ # Glossary, references
File Naming¶
- Use lowercase with hyphens:
file-name.md - Be descriptive:
supply-chain-complexity.mdnotsc.md - Follow section numbering in directory names
Markdown Standards¶
We use Material for MkDocs markdown extensions:
# Main heading
## Section heading
### Subsection heading
!!! note "Title"
Callout content
!!! warning "Important"
Warning content
!!! example "Use Case"
Example content
| Column 1 | Column 2 |
|----------|----------|
| Data | Data |
[Link text](relative/path.md)
[:octicons-arrow-right-24: Button text](link.md){ .md-button }
Recognition¶
Contributors are recognized in several ways:
- Listed in commit history
- Mentioned in release notes for significant contributions
- Optional attribution in specific sections (if desired)
Questions?¶
- Issues: Open an issue
- Email: Available in GitHub profile
- General questions: Use issue discussions
Code of Conduct¶
Our Standards¶
- Respectful: Value diverse perspectives and experiences
- Collaborative: Work together toward better security practices
- Constructive: Provide helpful, actionable feedback
- Inclusive: Welcome contributors of all backgrounds
Unacceptable Behavior¶
- Harassment or discrimination
- Trolling or inflammatory comments
- Personal attacks
- Publishing others' private information
License¶
By contributing to SF², you agree that your contributions will be licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.
See LICENSE for details.
Thank You!¶
Small fixes matter as much as big ones. Thank you for the time and effort you put into making SF² better for everyone.
Ready to contribute? Find a page that could be improved and click "Edit this page"!