This is an automated email from the ASF dual-hosted git repository.
vishesh92 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-go.git
The following commit(s) were added to refs/heads/main by this push:
new e4f810b Add security-model discoverability pointer to the
project-wide CloudStack threat model (#149)
e4f810b is described below
commit e4f810bc8b12ddefa8445ba0bcd4ce0170a0c21e
Author: Jarek Potiuk <[email protected]>
AuthorDate: Mon Jul 13 10:10:25 2026 +0200
Add security-model discoverability pointer to the project-wide CloudStack
threat model (#149)
* Add draft project security threat-model document
Adds a draft project-level security threat-model document
(draft-THREAT-MODEL.md) at repo root, improving discoverability
for automated security scanners running against this repository.
The file follows the rubric format used by several other ASF
projects piloting security-model discoverability.
The "draft-" prefix signals this is a proposal for the PMC to
review, correct, or reject — not a finalised maintainer-blessed
model. Every claim carries a provenance tag (documented /
inferred / maintainer) so reviewers can see where each claim
originates; §14 collects open questions for the maintainers.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
* Point to the project-wide CloudStack threat model instead of a per-repo
copy
Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
(apache/cloudstack#13293), so scanners find one canonical model and this
repo
inherits it rather than duplicating it.
Generated-by: Claude Code
* Exclude SECURITY.md + AGENTS.md from RAT
These scaffold files carry an SPDX license header, but this repo's Apache
RAT
check doesn't scan headers embedded in Markdown, so list them in
.rat-excludes.
Generated-by: Claude Code
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI
<[email protected]>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
Co-authored-by: dahn <[email protected]>
Co-authored-by: Copilot Autofix powered by AI
<[email protected]>
---
.rat-excludes | 5 +++++
AGENTS.md | 13 +++++++++++++
SECURITY.md | 35 +++++++++++++++++++++++++++++++++++
3 files changed, 53 insertions(+)
diff --git a/.rat-excludes b/.rat-excludes
index 6239822..1511f97 100644
--- a/.rat-excludes
+++ b/.rat-excludes
@@ -3,3 +3,8 @@ go.mod
go.sum
rat-report.txt
apache-rat-0.17
+
+# Security-model scaffold (carries an SPDX header; exempted
+# from RAT for setups that don't scan Markdown headers).
+AGENTS.md
+SECURITY.md
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..5bd145b
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,13 @@
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+
+# Agent Guide for cloudstack-go
+
+This file is read by automated agents (security scanners, code analyzers,
+AI assistants) operating on this repository.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md` and the
+project-wide threat model it links before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..881a9e6
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,35 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+`apache/cloudstack-go` follows the [Apache Software Foundation security
process](https://www.apache.org/security/).
+Please report suspected vulnerabilities privately to `[email protected]`; do
not
+open public GitHub issues or pull requests for security reports.
+
+## Threat Model
+
+`apache/cloudstack-go` is part of the Apache CloudStack project and is covered
by the
+**project-wide CloudStack threat model** rather than a per-repository copy.
What the
+project treats as in scope and out of scope, the security properties it
provides and
+disclaims, the adversary model, and how findings are triaged are documented in
that
+model: <https://github.com/apache/cloudstack/blob/main/THREAT_MODEL.md>.
+
+(That link resolves once the project-wide model lands on `apache/cloudstack`'s
+`main` branch — see apache/cloudstack#13293. A thin `cloudstack-go`-specific
+addendum can be added here later if this component needs one.)