added plugin development security doc

Signed-off-by: Zach Rhoads <[email protected]>

content/en/docs/concepts/secure-plugin-development.md

@@ -0,0 +1,19 @@
+---
+title: "Securely develop plugins for Notation"
+description: "Best practices for securely developing and distributing plugins for Notation"
+type: docs
+weight: 2
+---
+
+## General security guidance
+
+plugins run as a binary on the system, invoked by notation. This means that the plugin has access to the same resources as the user running notation. This includes access to the filesystem, network, and other resources. Ensure you are only accessing resources that are required for your plugin to function.
+
+In some cases, your plugin may have access to sensitive data such as private keys. Ensure that you are not leaking this data to the filesystem, network, or other resources, including `stdout` and `stderr`.
+
+If using the `pluginConfig` key/value store, do not store sensitive data in as the data is not encrypted and is stored as plaintext.
+
+
+## Securely distributing plugins
+
+Ensure that you are distributing your plugin from a secure location and over a secure channel. For example, using a website or server you control and using HTTPS. If you are using a public repository, ensure it is a known, reputable repository that uses HTTPS, such as GitHub.