Add audit to new security section

devops/audit.rst

@@ -146,3 +146,8 @@ should be the base URL of the Artifactory instance.
 
 With this, you can now use the provider with the ``conan audit scan`` and ``conan audit list`` commands, by specifying
 the provider name with the ``-p``/``--provider`` argument.
+
+.. seealso::
+
+    - Please check the :ref:`conan audit command reference <security>` for other security
+      related features.

index.rst

@@ -18,6 +18,7 @@ Table of contents:
    tutorial
    CI Tutorial <ci_tutorial/tutorial>
    devops/devops
+   security/security
    integrations
    examples
    reference

security/audit.rst

@@ -0,0 +1,41 @@
+.. _security_audit:
+
+Scanning dependencies with conan audit
+======================================
+
+A new command, `conan audit`, was added in **Conan 2.14**. It provides a built-in way to
+**scan your dependencies for known CVEs**.
+
+For a step-by-step guide on authentication, usage examples, output formats, and setting up
+private providers, see :ref:`Checking package vulnerabilities <devops_audit>`. In short:
+
+1. **Register** at `audit.conan.io <https://audit.conan.io/register>`_
+2. **Save your token** and **activate it** via the confirmation email you receive.  
+3. **Configure Conan to use your token**:  
+
+.. code-block:: bash
+
+   conan audit provider auth conancenter --token=<token>
+
+4. Run a scan:
+
+.. code-block:: bash
+
+   # Check a specific reference 
+   conan audit list zlib/1.2.13
+
+   # Scan the entire dependency graph 
+   conan audit scan .  # Path to the conanfile.py/txt
+
+
+This command also supports using your own JFrog Platform as a private provider for
+vulnerability scanning. See the :ref:`Adding private providers
+<devops_audit_private_providers>` section for more details.
+
+.. seealso::
+
+    - For detailed reference documentation on all ``conan audit`` subcommands and their
+      options, consult the :ref:`conan audit command reference
+      <reference_commands_audit>`.
+    - Read more in the dedicated `blog post
+      <https://blog.conan.io/introducing-conan-audit-command/>`_.

security/guidelines.rst

@@ -0,0 +1,12 @@
+.. _security_guidelines:
+
+
+Security guidelines
+===================
+
+- Avoid tokens and passwords in URLs, can be in logs
+- Users shouldn't have write permissions on the server
+- Use write permissions tokens on the server only for very specific jobs
+- Enable dependencies checking, with :ref:`conan_audit <security_audit>`
+- Own the SWLC of dependencies, and specially binaries: build third parties from ``conan-center-index`` fork
+- Backup sources as a mechanism for air-gapped and restricted networks

security/sboms.rst

@@ -0,0 +1,15 @@
+.. _security_sboms:
+
+
+Software Bills of Materials (SBOM)
+==================================
+
+Intro...
+
+
+CycloneDX
+---------
+
+
+Artifactory BuildInfo
+---------------------

security/security.rst

@@ -0,0 +1,15 @@
+.. _security:
+
+
+Security
+========
+
+Security is a critical aspect of many software development projects and products. Conan implements several security features to allow C and C++ developer and organizations to streamline security in their processes.
+
+.. toctree::
+   :maxdepth: 1
+
+   audit
+   sboms
+   signing
+   guidelines

security/signing.rst

@@ -0,0 +1,8 @@
+.. _security_signing:
+
+
+Package signing
+===============
+
+
+The package signing plugin description.