This is an automated email from the ASF dual-hosted git repository.

vishesh92 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cloudstack-go.git


The following commit(s) were added to refs/heads/main by this push:
     new e4f810b  Add security-model discoverability pointer to the 
project-wide CloudStack threat model (#149)
e4f810b is described below

commit e4f810bc8b12ddefa8445ba0bcd4ce0170a0c21e
Author: Jarek Potiuk <[email protected]>
AuthorDate: Mon Jul 13 10:10:25 2026 +0200

    Add security-model discoverability pointer to the project-wide CloudStack 
threat model (#149)
    
    * Add draft project security threat-model document
    
    Adds a draft project-level security threat-model document
    (draft-THREAT-MODEL.md) at repo root, improving discoverability
    for automated security scanners running against this repository.
    The file follows the rubric format used by several other ASF
    projects piloting security-model discoverability.
    
    The "draft-" prefix signals this is a proposal for the PMC to
    review, correct, or reject — not a finalised maintainer-blessed
    model. Every claim carries a provenance tag (documented /
    inferred / maintainer) so reviewers can see where each claim
    originates; §14 collects open questions for the maintainers.
    
    Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
    
    * Point to the project-wide CloudStack threat model instead of a per-repo 
copy
    
    Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain
    AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack
    (apache/cloudstack#13293), so scanners find one canonical model and this 
repo
    inherits it rather than duplicating it.
    
    Generated-by: Claude Code
    
    * Exclude SECURITY.md + AGENTS.md from RAT
    
    These scaffold files carry an SPDX license header, but this repo's Apache 
RAT
    check doesn't scan headers embedded in Markdown, so list them in 
.rat-excludes.
    
    Generated-by: Claude Code
    
    * Potential fix for pull request finding
    
    Co-authored-by: Copilot Autofix powered by AI 
<[email protected]>
    
    ---------
    
    Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
    Co-authored-by: dahn <[email protected]>
    Co-authored-by: Copilot Autofix powered by AI 
<[email protected]>
---
 .rat-excludes |  5 +++++
 AGENTS.md     | 13 +++++++++++++
 SECURITY.md   | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 53 insertions(+)

diff --git a/.rat-excludes b/.rat-excludes
index 6239822..1511f97 100644
--- a/.rat-excludes
+++ b/.rat-excludes
@@ -3,3 +3,8 @@ go.mod
 go.sum
 rat-report.txt
 apache-rat-0.17
+
+# Security-model scaffold (carries an SPDX header; exempted
+# from RAT for setups that don't scan Markdown headers).
+AGENTS.md
+SECURITY.md
diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 0000000..5bd145b
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,13 @@
+<!-- SPDX-License-Identifier: Apache-2.0 -->
+
+# Agent Guide for cloudstack-go
+
+This file is read by automated agents (security scanners, code analyzers,
+AI assistants) operating on this repository.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md` and the
+project-wide threat model it links before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..881a9e6
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,35 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+`apache/cloudstack-go` follows the [Apache Software Foundation security 
process](https://www.apache.org/security/).
+Please report suspected vulnerabilities privately to `[email protected]`; do 
not
+open public GitHub issues or pull requests for security reports.
+
+## Threat Model
+
+`apache/cloudstack-go` is part of the Apache CloudStack project and is covered 
by the
+**project-wide CloudStack threat model** rather than a per-repository copy. 
What the
+project treats as in scope and out of scope, the security properties it 
provides and
+disclaims, the adversary model, and how findings are triaged are documented in 
that
+model: <https://github.com/apache/cloudstack/blob/main/THREAT_MODEL.md>.
+
+(That link resolves once the project-wide model lands on `apache/cloudstack`'s
+`main` branch — see apache/cloudstack#13293. A thin `cloudstack-go`-specific
+addendum can be added here later if this component needs one.)

Reply via email to