[
https://issues.apache.org/jira/browse/SPARK-56998?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated SPARK-56998:
-----------------------------------
Labels: pull-request-available (was: )
> Add SECURITY.md + AGENTS.md Security section for scan-agent discoverability
> ---------------------------------------------------------------------------
>
> Key: SPARK-56998
> URL: https://issues.apache.org/jira/browse/SPARK-56998
> Project: Spark
> Issue Type: Improvement
> Components: Project Infra
> Affects Versions: 4.2.0
> Reporter: Xiao Li
> Priority: Major
> Labels: pull-request-available
>
> Adds a {{SECURITY.md}} to the repo root and a {{Security}} section to the
> existing {{AGENTS.md}} so an automated scan agent can mechanically discover
> the project's security model via the conventional {{AGENTS.md → SECURITY.md →
> model URL}} chain. The chain terminates at the existing
> [https://spark.apache.org/docs/latest/security.html] page — nothing about the
> model content itself changes.
> Context: the ASF Security team is preparing the project for an automated
> agentic security scan we're piloting. Such scans refuse to run if the model
> isn't discoverable by that path (refusing upfront beats wasting PMC reviewer
> cycles on a noise-heavy run against an unknown model). Discoverability is the
> one hard gate; everything else is suggestion. The Security team has reached
> out separately on the PMC's private list with the program details; this PR is
> the public-facing repo piece.
> The Security team uses
> [{{threat-model-producer}}|https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573]
> as the rubric for what a complete model looks like — but this PR is just the
> {_}link{_}; the existing {{security.html}} content is accepted as the model.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
