Skip to content

feat: add security finding issue template #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tym83 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add security finding issue template #3

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5d2ce2f
feat: add security finding issue template
tym83 Apr 6, 2026
74d34b7
docs: add CNCF security email to issue template
tym83 Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 81 additions & 0 deletions ISSUE_TEMPLATE/security-finding.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
name: Security Finding
description: Report an automated security scanner finding (for maintainers)
title: "[security] "
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The default title [security] is very minimal. Providing a suggested format in the title field can help maintainers create consistent and searchable issue titles across the repository.

title: "[security] <package>: <vulnerability ID>"

labels: ["security/triage-needed"]
body:
- type: markdown
attributes:
value: |
**This template is for automated scanner findings reviewed by maintainers.**
If you are an external reporter, please use [Private Vulnerability Reporting](https://github.com/cozystack/cozystack/security/advisories/new) or email cncf-cozystack-security@lists.cncf.io instead.
- type: input
id: cve
attributes:
label: CVE ID
placeholder: CVE-YYYY-NNNNN
validations:
required: true
Comment on lines +11 to +17
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The cve field is mandatory, but not all security findings have a CVE ID (e.g., they might have a GHSA ID or be an internal finding). It is better to use a more inclusive label like 'Vulnerability ID' and update the placeholder to reflect this. I also suggest renaming the ID to vulnerability_id for clarity.

  - type: input
    id: vulnerability_id
    attributes:
      label: Vulnerability ID
      placeholder: "e.g., CVE-YYYY-NNNNN or GHSA-xxxx-xxxx-xxxx"
    validations:
      required: true

- type: dropdown
id: severity
attributes:
label: Severity
options:
- Critical
- High
- Medium
- Low
validations:
required: true
- type: input
id: package
attributes:
label: Affected package
placeholder: "e.g., libcrypto3, stdlib, redis"
validations:
required: true
- type: input
id: installed_version
attributes:
label: Installed version
placeholder: "e.g., 3.5.1-r0"
- type: input
id: fixed_version
attributes:
label: Fixed version
placeholder: "e.g., 3.5.5-r0 (or 'none available')"
- type: textarea
id: affected_components
attributes:
label: Affected Cozystack components
placeholder: |
- packages/system/velero
- packages/apps/postgres
validations:
required: true
- type: textarea
id: description
attributes:
label: Description
placeholder: Brief description of the vulnerability and its impact
validations:
required: true
- type: textarea
id: references
attributes:
label: References
placeholder: |
- https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNNN
- https://github.com/advisories/GHSA-XXXX
- type: dropdown
id: triage_status
attributes:
label: Triage status
options:
- new (needs triage)
- confirmed
- false-positive
- accepted-risk
- in-progress
- fixed
validations:
required: true