Skip to content

Add AGENTS.md + SECURITY.md wiring for security-model discoverability#13554

Open
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:asf-security/discoverability-2026-07-06
Open

Add AGENTS.md + SECURITY.md wiring for security-model discoverability#13554
potiuk wants to merge 1 commit into
apache:mainfrom
potiuk:asf-security/discoverability-2026-07-06

Conversation

@potiuk

@potiuk potiuk commented Jul 6, 2026

Copy link
Copy Markdown
Member

This is a proposal for the PMC to review — please correct, reject, or discuss as needed. It changes no threat-model content; it only adds the discoverability wiring around it.

apache/cloudstack now carries the project-wide security threat model (draft-THREAT-MODEL.md, merged in #13293), but there's no AGENTS.md / SECURITY.md chain leading to it. This PR adds:

  • SECURITY.md — the standard ASF disclosure-policy pointer (report suspected vulnerabilities privately to security@apache.org) plus a "Threat Model" section linking to draft-THREAT-MODEL.md.
  • AGENTS.md — a Security section pointing agents at SECURITY.md, so an automated scanner can mechanically follow AGENTS.mdSECURITY.mddraft-THREAT-MODEL.md.

Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting; those scans refuse to run unless the model is reachable by that chain. The model content is untouched — I linked draft-THREAT-MODEL.md as-named, so if you later rename or relocate it, just update the one link in SECURITY.md. Questions / pushback welcome.

apache/cloudstack carries the project-wide security threat model
(draft-THREAT-MODEL.md, merged in apache#13293) but no AGENTS.md/SECURITY.md
chain leading to it. Add SECURITY.md (ASF disclosure pointer + a link to
the model) and AGENTS.md (Security section pointing at SECURITY.md) so an
automated scanner can follow AGENTS.md -> SECURITY.md -> draft-THREAT-MODEL.md.
The threat-model content is untouched.

Generated-by: Claude Code (Claude Opus 4.8)
Copilot AI review requested due to automatic review settings July 6, 2026 21:54

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds the standard documentation “wiring” needed for automated agents to discover the project’s security reporting guidance and threat model via an AGENTS.md → SECURITY.md → draft-THREAT-MODEL.md chain.

Changes:

  • Adds SECURITY.md pointing reporters to the ASF security process and linking to the threat model.
  • Adds AGENTS.md instructing automated agents to consult SECURITY.md (and thereby the linked threat model) before reporting findings.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
SECURITY.md Introduces a security policy entry point and links to the existing threat model for scope/triage guidance.
AGENTS.md Provides an agent-readable entry point that points scanners/analyzers at SECURITY.md to follow the discoverability chain.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread AGENTS.md
under the License.
-->

# Agent Guide for cloudstack
Comment thread AGENTS.md
Agents that scan this repository should consult `SECURITY.md` and the
threat model it links before reporting issues.

The project-wide security threat model lives in draft-THREAT-MODEL.md (merged via #13293); SECURITY.md points to it.
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 20.40%. Comparing base (4beab94) to head (3961810).

Additional details and impacted files
@@            Coverage Diff            @@
##               main   #13554   +/-   ##
=========================================
  Coverage     20.40%   20.40%           
- Complexity    18788    18789    +1     
=========================================
  Files          5757     5757           
  Lines        520921   520921           
  Branches      60823    60823           
=========================================
+ Hits         106308   106310    +2     
+ Misses       403034   403031    -3     
- Partials      11579    11580    +1     
Flag Coverage Δ
unittests 20.40% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants