This is an automated email from the ASF dual-hosted git repository. akm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tooling-agents.git
commit 610e1f2e0b224c592702e51c0bd3954b0751729c Author: Andrew Musselman <[email protected]> AuthorDate: Mon Dec 29 12:12:50 2025 -0800 Initial commit --- LICENSE | 202 ++++++++++++++++++++++++++++++++++++ README.md | 133 ++++++++++++++++++++++++ docs/ASVS/security-audit-tooling.md | 111 ++++++++++++++++++++ docs/how-to-contribute.md | 107 +++++++++++++++++++ 4 files changed, 553 insertions(+) diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..86d7d11 --- /dev/null +++ b/README.md @@ -0,0 +1,133 @@ +# Apache Tooling Agents + +*Exploring AI-driven approaches to security auditing and code review* + +<a href="https://github.com/apache/tooling-agents/blob/main/LICENSE";> + <img alt="Apache License" src="https://img.shields.io/github/license/apache/tooling-agents"; /></a> + +We're using this repository to discuss ideas, gather community input, and prototype approaches. Nothing here is production-ready yet. + +## What This Is + +This repository is a space for the Apache community to explore how AI agents might help with automated security auditing and code review. We're interested in questions like: + +- How can agents help ASF projects achieve [OWASP ASVS](https://owasp.org/ASVS/) compliance? +- What existing tools work well, and where are the gaps? +- What should we build versus adopt? + +We're gathering input, prototyping ideas, and working toward tooling that could benefit the broader Apache ecosystem. **Your participation is welcome**, whether that's joining the discussion, sharing experiences, or contributing code. + +## Areas of Interest + +We're currently exploring several directions: + +- **ASVS Compliance Automation**: Can agents help verify security requirements across codebases? +- **Reducing Manual Overhead**: How do we help teams maintain security without slowing development? +- **Actionable Guidance**: What does useful, prioritized remediation output look like? +- **Reusable Patterns**: What can we build once that benefits many ASF projects? + +## What We're Evaluating + +### Existing Tooling + +These are already available and we're assessing how well they fit our needs: + +- **GitHub Security Features**: Dependabot, code scanning, secret scanning (already in use across ASF) +- **[OpenSSF Scorecard](https://securityscorecards.dev)**: Security health checks via CLI or GitHub Actions +- **[Alpha-Omega VEX](https://github.com/vex-generation-toolset)**: Agent-driven CVE analysis with call graphs (in pilot with Apache Solr) +- **[AI Alliance Gofannon](https://github.com/The-AI-Alliance/gofannon)**: Agent builder for prototyping workflows + +### Ideas Under Discussion + +- Automated ASVS L1/L2 compliance verification +- Commit-level security review with agent assistance +- Prompt-based audit workflow configuration +- Integration patterns for CI/CD pipelines + +## ASVS Background + +We're using [ASVS v5.0.0](https://owasp.org/ASVS/) as our reference standard, organized into categories like: + +| Category | Focus Area | +|----------|------------| +| Server-Side Execution | Input validation, injection prevention | +| Cross-Site Scripting | Output encoding, DOM security | +| Weak Cryptography | Algorithm selection, key management | +| External Access | Network security, API protection | +| Credential Security | Authentication, session management | +| Denial of Service | Resource limits, rate limiting | + +See [`docs/ASVS/`](docs/ASVS/) for our compliance tracking, research notes, and issue templates. + +## Repository Structure + +``` +├── src/ # Prototypes and experimental implementations +├── docs/ # Research, proposals, and planning +│ └── ASVS/ # ASVS compliance tracking and analysis +├── util/ # Utility scripts for evaluation +└── examples/ # Sample configurations and workflows +``` + +## Getting Involved + +Community feedback is encouraged! Whether you're an ASF committer, contributor, or just interested in security tooling: + +### Join the Conversation + +1. **Introduce yourself on the mailing list**: Say hello at 📧 [[email protected]](mailto:[email protected] + *(Subscribe by sending an email with empty subject and body to [[email protected]](mailto:[email protected]) and replying to the automated response, per the [ASF mailing list how-to](https://apache.org/foundation/mailinglists.html))* + +2. **Share ideas or file issues**: Use [GitHub Issues](https://github.com/apache/tooling-agents/issues) to ask questions, suggest approaches, or start a discussion + +3. **Try things out**: Experiment with the tools we're evaluating and share what you learn + +### Contribute Code or Docs + +- [**How to contribute**](docs/how-to-contribute.md) +- **Prototypes welcome**: Experimental code in [`src/`](src/) doesn't need to be polished +- **Documentation helps**: Add research notes or proposals to [`docs/`](docs/) +- **Evaluate tools**: Try existing tooling on your project and report back + +**Note:** Please introduce yourself on the mailing list before submitting a PR; this helps us deter spam and means your contribution won't be overlooked. + +## Rough Roadmap + +This is tentative and will evolve based on community input. + +### Now: Research, Discussion, and Prototyping +- Gathering requirements and use cases +- Evaluating existing tools +- Identifying gaps and opportunities +- Experiment with agent-based approaches +- Build proof-of-concept integrations +- Test with real ASF codebases + +### Next: Pilot & Iteration +- Trial with Apache Trusted Releases (ATR) and other willing projects +- Gather feedback and refine +- Determine what's worth building out further + +## Community + +- **Mailing List**: [[email protected]](mailto:[email protected]) ([subscribe](mailto:[email protected])) +- **Slack**: `#tooling-discuss` on the [ASF Slack](https://infra.apache.org/slack.html) +- **Issues**: [GitHub Issues](https://github.com/apache/tooling-agents/issues) + +## License + +This project is licensed under the [Apache License 2.0](LICENSE). + +## Related Work + +- [Alpha-Omega Project](https://alpha-omega.dev): Improving OSS security +- [OWASP ASVS](https://owasp.org/ASVS/): The security standard we're targeting +- [OpenSSF Scorecard](https://securityscorecards.dev): Automated security health checks +- [VEX](https://github.com/vex-generation-toolset): Automated CVE detection +- [AI Alliance](https://thealliance.ai): Open AI innovation community +- [Gofannon](https://github.com/The-AI-Alliance/gofannon): Agent-building workflow + +--- + +*Part of the [Apache Tooling Initiative](https://tooling.apache.org/).* +For more information about the ASF, visit [https://www.apache.org/](https://www.apache.org/). diff --git a/docs/ASVS/security-audit-tooling.md b/docs/ASVS/security-audit-tooling.md new file mode 100644 index 0000000..972ab72 --- /dev/null +++ b/docs/ASVS/security-audit-tooling.md @@ -0,0 +1,111 @@ +# Security Audit Tooling + +This page provides an overview of the goals for security audit tooling in ATR: + +- [Motivation](#motivation) +- [Available toolsets](#available-toolsets) +- [Needs for ATR](#needs-for-atr) +- [Approaches](#approaches) +- [Phases](#phases) + +## Motivation + +Apache Trusted Releases (ATR) is a release management tool for verifying and distributing Apache releases securely. As such there is a need for all code, configuration, and workflows in ATR to comply with high standards for security. The Tooling team have adopted the [Application Security Verification +Standard (ASVS) v5.0.0](https://raw.githubusercontent.com/OWASP/ASVS/v5.0.0/5.0/OWASP_Application_Security_Verification_Standard_5.0.0_en.pdf) from the [Open Worldwide Application Security Project (OWASP)](https://owasp.org) as our standard. + +The ASVS defines three levels of security verification, with L1 comprising the highest priority and most critical requirements, L2 including defenses against less common threats, and L3 rounding out the highest level of compliance. Requirements in L1 are about 20% of the spec, in L2 about 50%, and in L3 about 30%. For the beta release of ATR in early 2026 the target is to fulfill all requirements in L1 and the bulk of L2, noting that some of the requirements will need infrastructure chan [...] + +To accelerate this goal the Tooling team is planning an internal pilot of automated code auditing, to work through the requirements while maintaining momentum on ATR feature development. We are assessing existing third-party tools and considering their viability along with what to build in-house to satisfy the security requirements for ATR. + +## Available toolsets + +### GitHub organization security settings + +- [Managing security settings for your organization](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization) +- [Dependabot](https://github.com/orgs/apache/security/metrics/dependabot): already in use +- [Code scanning](https://github.com/orgs/apache/security/alerts/code-scanning): already in use +- [Secret scanning](https://github.com/orgs/apache/security/alerts/secret-scanning): already in use + +### OpenSSF Scorecard + +[Scorecard](https://securityscorecards.dev) is a security checklist tool which provides two approaches: +- [CLI](https://github.com/ossf/scorecard?tab=readme-ov-file#scorecard-command-line-interface) +- [GitHub Action](https://github.com/marketplace/actions/ossf-scorecard-action) + +This tool does simple overall reporting, with a weighted score along with justification for component scores. Each component of the review and its mitigation steps is detailed in the page for [Checks](https://github.com/ossf/scorecard/blob/main/docs/checks.md). + +Example output from the CLI [here (default summary)](scorecard-atr.md) and [with details here](scorecard-atr-details.md). + +### OpenAI Aardvark + +In private beta, ASF has applied to join the [beta program](https://openai.com/index/introducing-aardvark/). + +### Alpha-Omega VEX + +[VEX](https://github.com/vex-generation-toolset) is an agent-driven audit tool in pilot phase with Apache Solr, providing root cause analysis, call graphs, and reporting for anything identified as related to a given CVE. Looks potentially adaptable as a quick path toward ASVS L1 compliance with changes to prompts in the code. + +### AI Alliance Gofannon + +[Gofannon](https://github.com/The-AI-Alliance/gofannon) is a generated agent and application builder useful for prototyping and application development. It allows users to prompt application requirements and agents in a simple workflow, deploys API endpoints for agents, and deploys a hosted running application along with the front-end code for the user to export as needed. + +## Needs for ATR + +- Immediate need for streamlining of ASVS L1 compliance + - [Categories of L1 criteria](https://github.com/apache/tooling-trusted-releases/issues/334) + 1. Evaluate ASVS v5.0.0 compliance: server side execution [#397](https://github.com/apache/tooling-trusted-releases/issues/397) + - 1.2.4, 1.2.5, 1.3.2, 5.2.2, 5.3.1, 5.3.2, 15.2.1 + 2. Evaluate ASVS v5.0.0 compliance: cross site scripting [#398](https://github.com/apache/tooling-trusted-releases/issues/398) + - 1.2.1, 1.2.2, 1.2.3, 1.3.1, 3.2.1, 3.2.2, 4.1.1 + 3. Evaluate ASVS v5.0.0 compliance: weak cryptography [#399](https://github.com/apache/tooling-trusted-releases/issues/399) + - 3.4.1, 4.4.1, 11.3.1, 11.3.2, 11.4.1, 12.1.1, 12.2.1, 12.2.2 + 4. Evaluate ASVS v5.0.0 compliance: external access [#400](https://github.com/apache/tooling-trusted-releases/issues/400) + - 3.4.2, 3.5.1, 3.5.2, 3.5.3, 10.4.1, 14.2.1 + 5. Evaluate ASVS v5.0.0 compliance: universal spoofing [#401](https://github.com/apache/tooling-trusted-releases/issues/401) + - 7.3.2, 9.1.1, 9.1.2, 10.4.2, 10.4.5 + 6. Evaluate ASVS v5.0.0 compliance: internal access [#402](https://github.com/apache/tooling-trusted-releases/issues/402) + - 2.2.1, 2.2.2, 2.3.1, 8.2.1, 8.3.1, 10.4.4 + 7. Evaluate ASVS v5.0.0 compliance: credential stealing [#403](https://github.com/apache/tooling-trusted-releases/issues/403) + - 3.3.1, 7.2.2, 7.2.3, 7.2.4, 7.4.2, 9.1.3, 9.2.1, 10.4.3, 14.3.1 + 8. Evaluate ASVS v5.0.0 compliance: basic access [#404](https://github.com/apache/tooling-trusted-releases/issues/404) + - 8.2.2, 13.4.1, 15.3.1 + 9. Evaluate ASVS v5.0.0 compliance: brute force identification [#405](https://github.com/apache/tooling-trusted-releases/issues/405) + - 6.2.1, 6.2.4, 6.3.1, 6.3.2, 6.4.1 + 10. Evaluate ASVS v5.0.0 compliance: credential integrity [#406](https://github.com/apache/tooling-trusted-releases/issues/406) + - 6.2.2, 6.2.3, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.4.2, 7.4.1 + 11. Evaluate ASVS v5.0.0 compliance: denial of service [#407](https://github.com/apache/tooling-trusted-releases/issues/407) + - 1.5.1, 5.2.1 + 12. Evaluate ASVS v5.0.0 compliance: documentation [#408](https://github.com/apache/tooling-trusted-releases/issues/408) + - 2.1.1, 6.1.1, 8.1.1, 15.1.1 +- Short-term need for ASVS L2 compliance +- Long-term need for automated repo and commit scanning + +## Approaches + +- ASVS-oriented automated auditing as standalone tool +- Page on ATR for audit suites including ASVS compliance +- GitHub Action (audit on demand/commit, reporting, etc.) for ASF projects + +## Phases + +### Research + +- Inital requirements and assessment for ASVS compliance + - Underway + - Remaining: further tool evaluations and decisions on approaches +- Tool evaluation + - Assessment of gaps and viability for ATR + +### Design and prototyping + +### Integration and build + +- Integration and extension of viable tooling +- Build of new tooling + +### Pilot + +- First with ATR codebase +- Selected project codebases + +### General availability + diff --git a/docs/how-to-contribute.md b/docs/how-to-contribute.md new file mode 100644 index 0000000..18e8586 --- /dev/null +++ b/docs/how-to-contribute.md @@ -0,0 +1,107 @@ +# How to contribute + +**Sections**: + +* [Introduction](#introduction) +* [Finding something to work on](#finding-something-to-work-on) +* [Pull request workflow](#pull-request-workflow) +* [Commit message style](#commit-message-style) +* [ASF contribution policies](#asf-contribution-policies) +* [Getting help](#getting-help) + +## Introduction + +ATR is developed by ASF Tooling in public as open source code, and we welcome high quality contributions from external contributors. Whether you are fixing a typographical error in documentation, improving an error message, implementing a new feature, or addressing a security issue, your contribution helps to improve ATR for all of our users. + +This page explains how to contribute code and documentation to ATR. We recommend reading the [platform introduction](introduction-to-atr) and [overview of the code](overview-of-the-code) first to understand the purpose of ATR and how the codebase is structured. You should also read the [code conventions](code-conventions) page; we expect all contributions to follow those conventions. + +**IMPORTANT: New contributors must introduce themselves on [the development mailing list first](mailto:[email protected]), to deter spam.** Contributions are very welcome, but please do not submit a PR until you have introduced yourself first. + +## Finding something to work on + +The easiest way to find something to work on is to look at our [issue tracker](https://github.com/apache/tooling-trusted-releases/issues) on GitHub. + +If you have an idea or suggestion that is not already reported in the issue tracker, please [create a new issue](https://github.com/apache/tooling-trusted-releases/issues/new) to discuss it with other developers before you start working on it. This helps to ensure that your contribution will be accepted, and that you do not duplicate work that is already in progress. For small changes such as fixing typographical errors or improving documentation clarity, you do not need to create an iss [...] + +## Pull request workflow + +Once you have identified something to work on, the process of contributing is as follows: + +1. **Fork the repository.** Create a personal fork of the [Tooling Agents repository](https://github.com/apache/tooling-agents) on GitHub. + +2. **Clone your fork.** Clone your fork to your local machine. + +3. **Create a branch.** [Create a new branch](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-and-deleting-branches-within-your-repository) for your work. Use a descriptive name that indicates what you are working on, such as `fix-typo-in-docs` or `improve-error-messages`. + +4. **Make your changes.** Implement your contribution. + +5. **Commit your changes.** Write clear, concise commit messages following [our commit message style](#commit-message-style). Each commit should represent a logical unit of work, but we are not particularly strict about this. + +6. **Push your branch.** Push your branch to your fork on GitHub. + +7. **Create a pull request (PR).** The PR should be from your branch to the `main` branch of the Tooling Agents repository. In the PR description, explain what your changes do and why they are needed. If your PR addresses an existing issue, reference that issue by number. Use the rebase strategy, not merge, to keep your PR up to date as you work on it. + +8. **Participate in code review.** A member of the Tooling team will review your PR and may request changes. _We strongly recommend enabling the option to allow maintainers to edit your PR when you create it._ Even if you allow us to make changes, we may still ask you to make the changes yourself. + +You can also [email patches](https://lists.apache.org/[email protected]) if you prefer not to use GitHub. Please use standard Git patch formatting, as if you were e.g. contributing to the Linux Kernel. + +## Commit message style + +We follow a consistent style for commit messages. The first line of the commit message is called the subject line, and should follow these guidelines: + +* **Use the imperative mood.** The subject line should complete the sentence "If applied, this commit will...". +* **Use sentence case.** Start with a capital letter, but do not use a full stop at the end. +* **Use articles as appropriate before nouns**. Write about "a feature" not just "feature". Say, for example, "fix a bug", and not "fix bug". +* **Be specific and descriptive.** Prefer "Fix a bug in vote resolution for tied votes" to "Fix a bug" or "Update the vote code". +* **Keep it concise.** Aim for 50 to 72 characters. If you need more space to explain your changes, use the commit body. + +**Examples of good subject lines:** + +```cmd +Add distribution platform validation to the compose phase +Fix a bug with sorting version numbers containing release candidates +Move code to delete releases to the storage interface +Update dependencies +``` + +**Examples of poor subject lines:** + +```cmd +fixed stuff +Updated the code. +refactoring vote resolution logic +``` + +Most commits do not need a body. The subject line alone is sufficient for small, focused changes. If, however, your commit is complex or requires additional explanation, add a body separated from the subject line by a blank line. In the body, explain what the change does and why it was necessary. We typically use itemized lists for this, using asterisks. You do not need to explain how the change works. + +## ASF contribution policies + +As an Apache Software Foundation effort, Tooling Agents follows the standard ASF contribution and licensing policies. These policies ensure that the ASF has the necessary rights to distribute your contributions, and that contributors retain their rights to use their contributions for other purposes. + +### Contributor License Agreement + +Before we can accept your first contribution as an individual contributor, you must sign the [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/contributor-agreements.html#clas) (ICLA). This is a one-time requirement, and you do not need to sign a new ICLA for each contribution. The ICLA grants the ASF the right to distribute and build upon your work within Apache, while you retain full rights to use your original contributions for any other purpose. The IC [...] + +If your employer holds rights to your work, then you may also need to submit a [Corporate Contributor License Agreement](https://www.apache.org/licenses/contributor-agreements.html#clas) (CCLA). Please consult with your employer to determine whether this is necessary. + +### Licensing + +All contributions to Tooling Agents are licensed under the [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0). By submitting a pull request, you agree that your contributions will be licensed under this license. If you include any third party code or dependencies in your contribution, you must ensure that they are compatible with the Apache License 2.0. The ASF maintains a list of [Category A licenses](https://www.apache.org/legal/resolved.html#category-a) that are compati [...] + +### Code of conduct + +All contributors to Tooling Agents are expected to follow the [ASF Code of Conduct](https://www.apache.org/foundation/policies/conduct.html), and any other applicable policies of the ASF. + +### Access controls + +We strongly encourage all contributors to enable two-factor authentication on their GitHub accounts, preferably with a [passkey](https://en.wikipedia.org/wiki/WebAuthn#Passkey_branding). + +## Getting help + +If you have questions about contributing, or if you need help with any step of the contribution process, please reach out to the team. You can: + +* Ask questions on the [dev mailing list](https://lists.apache.org/[email protected]), which is the primary forum for Tooling development discussions. +* Comment on the relevant issue or pull request in the [issue tracker](https://github.com/apache/tooling-agents/issues). +* Chat with us in [#tooling-discuss](https://the-asf.slack.com/archives/C086X8CKEMB) on ASF Slack. + +We welcome all types of contribution, and are happy to help you get started. Thank you for your interest in contributing to Tooling Agents. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
