Add AGENTS.md + SECURITY.md wiring for security-model discoverability#13554
Conversation
apache/cloudstack carries the project-wide security threat model (draft-THREAT-MODEL.md, merged in apache#13293) but no AGENTS.md/SECURITY.md chain leading to it. Add SECURITY.md (ASF disclosure pointer + a link to the model) and AGENTS.md (Security section pointing at SECURITY.md) so an automated scanner can follow AGENTS.md -> SECURITY.md -> draft-THREAT-MODEL.md. The threat-model content is untouched. Generated-by: Claude Code (Claude Opus 4.8)
There was a problem hiding this comment.
Pull request overview
This PR adds the standard documentation “wiring” needed for automated agents to discover the project’s security reporting guidance and threat model via an AGENTS.md → SECURITY.md → draft-THREAT-MODEL.md chain.
Changes:
- Adds
SECURITY.mdpointing reporters to the ASF security process and linking to the threat model. - Adds
AGENTS.mdinstructing automated agents to consultSECURITY.md(and thereby the linked threat model) before reporting findings.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| SECURITY.md | Introduces a security policy entry point and links to the existing threat model for scope/triage guidance. |
| AGENTS.md | Provides an agent-readable entry point that points scanners/analyzers at SECURITY.md to follow the discoverability chain. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #13554 +/- ##
============================================
- Coverage 20.40% 19.48% -0.93%
- Complexity 18788 19407 +619
============================================
Files 5757 6303 +546
Lines 520921 569237 +48316
Branches 60823 69781 +8958
============================================
+ Hits 106308 110894 +4586
- Misses 403034 446206 +43172
- Partials 11579 12137 +558
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
|
|
||
| ## Security | ||
|
|
||
| Security model: [SECURITY.md](./SECURITY.md) |
| ## Threat Model | ||
|
|
||
| What the project treats as in scope and out of scope, the security | ||
| properties it provides and disclaims, the adversary model, and how | ||
| findings are triaged are documented in the project-wide threat model: | ||
| [draft-THREAT-MODEL.md](draft-THREAT-MODEL.md). |
This is a proposal for the PMC to review — please correct, reject, or discuss as needed. It changes no threat-model content; it only adds the discoverability wiring around it.
apache/cloudstacknow carries the project-wide security threat model (draft-THREAT-MODEL.md, merged in #13293), but there's noAGENTS.md/SECURITY.mdchain leading to it. This PR adds:SECURITY.md— the standard ASF disclosure-policy pointer (report suspected vulnerabilities privately tosecurity@apache.org) plus a "Threat Model" section linking todraft-THREAT-MODEL.md.AGENTS.md— a Security section pointing agents atSECURITY.md, so an automated scanner can mechanically followAGENTS.md→SECURITY.md→draft-THREAT-MODEL.md.Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting; those scans refuse to run unless the model is reachable by that chain. The model content is untouched — I linked
draft-THREAT-MODEL.mdas-named, so if you later rename or relocate it, just update the one link inSECURITY.md. Questions / pushback welcome.