Update security-governance preset to v0.4.0

[hindermath]

Preset Update

Preset Name: Security Governance
Preset ID: security-governance
Version: 0.4.0
Repository: https://github.com/hindermath/spec-kit-preset-security-governance

This is a separate follow-up catalog update for the existing security-governance community preset. It is intentionally separate from #2676 and updates the catalog directly to v0.4.0.

Summary

• Point security-governance to the v0.4.0 tag archive.
• Add language-specific secure-coding profile wording for memory-safe implementation languages.
• Keep the SBOM/AI-SBOM and G7/BSI AI-SBOM target evidence wording from the v0.3.0 update.
• Update the Community Presets table so the visible description matches the new preset scope.

What changed in v0.4.0

• Added Rust, Go, Swift, Java/Kotlin, Python, and TypeScript/JavaScript secure-coding sections.
• Deepened C#/.NET review coverage for authorization, validation, SSRF, and file path handling.
• Updated tasks/checklist guidance so MSL status does not replace language-specific secure-coding review.

Checklist

• Valid preset.yml manifest in the standalone preset repo
• README.md with description and usage
• LICENSE file included
• GitHub release created for v0.4.0
• Tag ZIP download URL reachable
• Added/updated presets/catalog.community.json
• Updated row in docs/community/presets.md

Verification

• Standalone preset repo: ruby -e 'require "yaml"; data = YAML.load_file("preset.yml"); abort "wrong version" unless data.dig("preset", "version") == "0.4.0"; puts data.dig("preset", "version")'\n- Standalone preset smoke test: specify init --here --force --integration codex, specify preset add --dev ... --priority 10, specify preset list, and specify preset resolve secure-coding-language-rules-template\n- Catalog PR: python3 -m json.tool presets/catalog.community.json\n- Catalog PR: curl -fsSL -I https://github.com/hindermath/spec-kit-preset-security-governance/archive/refs/tags/v0.4.0.zip returned the GitHub redirect and final 200 from codeload.\n- Catalog PR: gh release view v0.4.0 --repo hindermath/spec-kit-preset-security-governance --json tagName,name,isDraft,isPrerelease,url verified the release is not draft and not prerelease.\n- Catalog PR: uv run --with pytest pytest tests/test_presets.py -k catalog passed: 46 passed, 200 deselected.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the Security Governance community preset entry to version 0.4.0, expanding its description, tags, and documentation to reflect new capabilities.

Changes:

• Bumps Security Governance preset from 0.2.0 to 0.4.0 with updated download URL and timestamps.
• Expands tag list to include SSDF, SBOM/AI-SBOM, VEX, SLSA, CWE Top 25, language-specific tags, and G7/BSI/CRA.
• Updates the docs table row description to reflect the new scope.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
presets/catalog.community.json	Bumps preset version, refreshes description, download URL, tags, and updated_at timestamps.
docs/community/presets.md	Updates the Security Governance description in the community presets table.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hindermath]

Hi @mnriem,

this is another small follow-up for the existing security-governance community preset entry.

PR #2703 is the follow-up update for v0.4.0:

https://github.com/hindermath/spec-kit-preset-security-governance/releases/tag/v0.4.0

It updates the catalog entry directly from v0.2.0 to v0.4.0, because #2676 has not been merged upstream yet. The v0.4.0 release includes the AI-SBOM scope from v0.3.0 and additionally expands the preset with language-specific secure-coding profiles for Rust, Go, Swift, Java/Kotlin, Python, and TypeScript/JavaScript.

The PR is ready from my side and waiting for maintainer review/approval when you have time.