diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c14f3ec..090d7f7 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -141,6 +141,14 @@ There are other great tools out there to manage DCO signoffs for developers to m
 * Additionally, it is possible to use shell scripting to automatically apply the sign-off. For an example for bash to be put into a .bashrc file, see [here](https://wiki.lfenergy.org/display/HOME/Contribution+and+Compliance+Guidelines). 
 * Alternatively, you can add `prepare-commit-msg hook` in .git/hooks directory. For an example, see [here](https://github.com/Samsung/ONE-vscode/wiki/ONE-vscode-Developer's-Certificate-of-Origin).
 
+## Automated workflow review process
+
+In all repositories, automated workflows via github actions are used to evaluate code quality. Some basic checks are already covered by [Pre-commit hooks](#pre-commit-hooks).
+More extensive checks are not included in the pre-commit hooks, such as building the full C++ project, running `clang-tidy`, and building documentation with Sphinx and Read the Docs.
+These checks are mandatory before any merge. For security reasons, maintainers review each pull request every time before approving workflow runs for a commit.
+This increases review effort and can delay the overall process. 
+When possible, contributors are encouraged to run and fix these checks on their own development machine before starting the [Code reviews](#code-reviews) process.
+
 ## Code reviews
 
 All patches and contributions, including patches and contributions by project members, require review by one of the maintainers of the project. We
diff --git a/SECURITY.md b/SECURITY.md
index e0a6b53..67fe8a9 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -34,6 +34,16 @@ possible.
 On repositories for which Private Vulnerability Reporting is not enabled, please report vulnerabilities as bugs via the
 GitHub issues tab.
 
+## Third-Party Software and Development Tools
+
+Like most software projects, our repositories rely on external dependencies.
+We aim to keep these dependencies to a minimum and select sources that are mature, widely used, and trusted.
+Users remain responsible for evaluating whether these dependencies satisfy their own security requirements.
+
+We also provide recommendations for development tools in our build guides and VS Code extensions in the `.vscode/extentions.json` for each repository.
+These recommendations are optional.
+Developers should evaluate them against their own security policies before installation and use.
+
 ### power-grid-model
 
 [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7298/badge)](https://bestpractices.coreinfrastructure.org/projects/7298)