Add AGENTS.md + SECURITY.md wiring for security-model discoverability#13554
Open
potiuk wants to merge 1 commit into
Open
Add AGENTS.md + SECURITY.md wiring for security-model discoverability#13554potiuk wants to merge 1 commit into
potiuk wants to merge 1 commit into
Conversation
apache/cloudstack carries the project-wide security threat model (draft-THREAT-MODEL.md, merged in apache#13293) but no AGENTS.md/SECURITY.md chain leading to it. Add SECURITY.md (ASF disclosure pointer + a link to the model) and AGENTS.md (Security section pointing at SECURITY.md) so an automated scanner can follow AGENTS.md -> SECURITY.md -> draft-THREAT-MODEL.md. The threat-model content is untouched. Generated-by: Claude Code (Claude Opus 4.8)
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds the standard documentation “wiring” needed for automated agents to discover the project’s security reporting guidance and threat model via an AGENTS.md → SECURITY.md → draft-THREAT-MODEL.md chain.
Changes:
- Adds
SECURITY.mdpointing reporters to the ASF security process and linking to the threat model. - Adds
AGENTS.mdinstructing automated agents to consultSECURITY.md(and thereby the linked threat model) before reporting findings.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| SECURITY.md | Introduces a security policy entry point and links to the existing threat model for scope/triage guidance. |
| AGENTS.md | Provides an agent-readable entry point that points scanners/analyzers at SECURITY.md to follow the discoverability chain. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| under the License. | ||
| --> | ||
|
|
||
| # Agent Guide for cloudstack |
| Agents that scan this repository should consult `SECURITY.md` and the | ||
| threat model it links before reporting issues. | ||
|
|
||
| The project-wide security threat model lives in draft-THREAT-MODEL.md (merged via #13293); SECURITY.md points to it. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #13554 +/- ##
=========================================
Coverage 20.40% 20.40%
- Complexity 18788 18789 +1
=========================================
Files 5757 5757
Lines 520921 520921
Branches 60823 60823
=========================================
+ Hits 106308 106310 +2
+ Misses 403034 403031 -3
- Partials 11579 11580 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a proposal for the PMC to review — please correct, reject, or discuss as needed. It changes no threat-model content; it only adds the discoverability wiring around it.
apache/cloudstacknow carries the project-wide security threat model (draft-THREAT-MODEL.md, merged in #13293), but there's noAGENTS.md/SECURITY.mdchain leading to it. This PR adds:SECURITY.md— the standard ASF disclosure-policy pointer (report suspected vulnerabilities privately tosecurity@apache.org) plus a "Threat Model" section linking todraft-THREAT-MODEL.md.AGENTS.md— a Security section pointing agents atSECURITY.md, so an automated scanner can mechanically followAGENTS.md→SECURITY.md→draft-THREAT-MODEL.md.Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting; those scans refuse to run unless the model is reachable by that chain. The model content is untouched — I linked
draft-THREAT-MODEL.mdas-named, so if you later rename or relocate it, just update the one link inSECURITY.md. Questions / pushback welcome.