From 5d2ce2fcbb4c92d82cefd698014abec60249354d Mon Sep 17 00:00:00 2001 From: tym83 <6355522@gmail.com> Date: Tue, 7 Apr 2026 00:07:00 +0500 Subject: [PATCH 1/2] feat: add security finding issue template Standard issue template for maintainers to track security scanner findings with proper severity, triage status, and affected components. Co-Authored-By: Claude Opus 4.6 (1M context) --- ISSUE_TEMPLATE/security-finding.yml | 81 +++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 ISSUE_TEMPLATE/security-finding.yml diff --git a/ISSUE_TEMPLATE/security-finding.yml b/ISSUE_TEMPLATE/security-finding.yml new file mode 100644 index 0000000..f1d60e7 --- /dev/null +++ b/ISSUE_TEMPLATE/security-finding.yml @@ -0,0 +1,81 @@ +name: Security Finding +description: Report an automated security scanner finding (for maintainers) +title: "[security] " +labels: ["security/triage-needed"] +body: + - type: markdown + attributes: + value: | + **This template is for automated scanner findings reviewed by maintainers.** + If you are an external reporter, please use [Private Vulnerability Reporting](https://github.com/cozystack/cozystack/security/advisories/new) instead. + - type: input + id: cve + attributes: + label: CVE ID + placeholder: CVE-YYYY-NNNNN + validations: + required: true + - type: dropdown + id: severity + attributes: + label: Severity + options: + - Critical + - High + - Medium + - Low + validations: + required: true + - type: input + id: package + attributes: + label: Affected package + placeholder: "e.g., libcrypto3, stdlib, redis" + validations: + required: true + - type: input + id: installed_version + attributes: + label: Installed version + placeholder: "e.g., 3.5.1-r0" + - type: input + id: fixed_version + attributes: + label: Fixed version + placeholder: "e.g., 3.5.5-r0 (or 'none available')" + - type: textarea + id: affected_components + attributes: + label: Affected Cozystack components + placeholder: | + - packages/system/velero + - packages/apps/postgres + validations: + required: true + - type: textarea + id: description + attributes: + label: Description + placeholder: Brief description of the vulnerability and its impact + validations: + required: true + - type: textarea + id: references + attributes: + label: References + placeholder: | + - https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNNN + - https://github.com/advisories/GHSA-XXXX + - type: dropdown + id: triage_status + attributes: + label: Triage status + options: + - new (needs triage) + - confirmed + - false-positive + - accepted-risk + - in-progress + - fixed + validations: + required: true From 74d34b702eb5fdd82559fb82953b2445cd813a24 Mon Sep 17 00:00:00 2001 From: tym83 <6355522@gmail.com> Date: Tue, 7 Apr 2026 18:16:29 +0500 Subject: [PATCH 2/2] docs: add CNCF security email to issue template Add cncf-cozystack-security@lists.cncf.io as alternative reporting channel for external reporters. Co-Authored-By: Claude Opus 4.6 (1M context) -e Signed-off-by: tym83 <6355522@gmail.com> --- ISSUE_TEMPLATE/security-finding.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ISSUE_TEMPLATE/security-finding.yml b/ISSUE_TEMPLATE/security-finding.yml index f1d60e7..f779f9a 100644 --- a/ISSUE_TEMPLATE/security-finding.yml +++ b/ISSUE_TEMPLATE/security-finding.yml @@ -7,7 +7,7 @@ body: attributes: value: | **This template is for automated scanner findings reviewed by maintainers.** - If you are an external reporter, please use [Private Vulnerability Reporting](https://github.com/cozystack/cozystack/security/advisories/new) instead. + If you are an external reporter, please use [Private Vulnerability Reporting](https://github.com/cozystack/cozystack/security/advisories/new) or email cncf-cozystack-security@lists.cncf.io instead. - type: input id: cve attributes: