Add security-model discoverability pointer to the project-wide CloudStack threat model#149
Add security-model discoverability pointer to the project-wide CloudStack threat model#149potiuk wants to merge 4 commits into
Conversation
0f8d4ea to
b6579f6
Compare
|
There's a lot of details in the draft that needs a better set of eyes, so assigning @DaanHoogland @vishesh92 who're also PMC leads on the work. |
|
Thanks @yadvr, I think we should start with this one and work from there. I’ll look at the fields we need today cc @vishesh92 @potiuk |
Given that this “inherits” from cloudstack, i think (on second thought) we should start there. |
|
Agreed @DaanHoogland — let's converge on the parent |
|
Note on the failing Apache RAT Check — it's the workflow's RAT-download step, not this PR. The job fetches |
|
Note for reviewers: the failing Apache RAT Check isn't related to this PR's content. The workflow downloads |
|
Thanks @DaanHoogland. This PR was re-pointed to the project-wide CloudStack model (apache/cloudstack#13293) — the per-repo |
Adds a draft project-level security threat-model document (draft-THREAT-MODEL.md) at repo root, improving discoverability for automated security scanners running against this repository. The file follows the rubric format used by several other ASF projects piloting security-model discoverability. The "draft-" prefix signals this is a proposal for the PMC to review, correct, or reject — not a finalised maintainer-blessed model. Every claim carries a provenance tag (documented / inferred / maintainer) so reviewers can see where each claim originates; §14 collects open questions for the maintainers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…po copy Drop the standalone draft-THREAT-MODEL.md and wire the discoverability chain AGENTS.md -> SECURITY.md -> the project-wide model in apache/cloudstack (apache/cloudstack#13293), so scanners find one canonical model and this repo inherits it rather than duplicating it. Generated-by: Claude Code
These scaffold files carry an SPDX license header, but this repo's Apache RAT check doesn't scan headers embedded in Markdown, so list them in .rat-excludes. Generated-by: Claude Code
c8db4b0 to
2c92488
Compare
|
Update: rebased onto current main to pick up #139 (Apache RAT 0.17 -> 0.18). The earlier "Apache RAT Check" failure was just the old workflow downloading RAT 0.17, which has aged off downloads.apache.org — RAT and the builds are green now. Ready for review whenever convenient. |
There was a problem hiding this comment.
Pull request overview
This PR adds repository-level security discoverability documents so automated tools can find CloudStack’s canonical, project-wide threat model via a pointer chain (AGENTS.md → SECURITY.md → apache/cloudstack’s THREAT_MODEL.md).
Changes:
- Adds
SECURITY.mddescribing vulnerability reporting guidance and linking to the project-wide threat model. - Adds
AGENTS.mdas an agent-facing entry point pointing scanners/tools toSECURITY.md. - Updates
.rat-excludesto exempt the new Markdown files from Apache RAT checks.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| SECURITY.md | Introduces security policy + threat model pointer (with license header). |
| AGENTS.md | Adds an agent-readable entry point directing tools to SECURITY.md. |
| .rat-excludes | Exempts the new Markdown policy files from RAT scanning. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <!-- | ||
| SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
|
|
||
| https://www.apache.org/licenses/LICENSE-2.0 | ||
|
|
||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| --> |
|
|
||
| # Security-model scaffold (carries an SPDX header; exempted | ||
| # from RAT for setups that don't scan Markdown headers). | ||
| AGENTS.md | ||
| SECURITY.md |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
| <!-- | ||
| SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
|
|
||
| https://www.apache.org/licenses/LICENSE-2.0 | ||
|
|
||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| --> |
| (That link resolves once the project-wide model lands on `apache/cloudstack`'s | ||
| `main` branch — see apache/cloudstack#13293. A thin `cloudstack-go`-specific | ||
| addendum can be added here later if this component needs one.) |
| <!-- SPDX-License-Identifier: Apache-2.0 --> | ||
|
|
|
|
||
| # Security-model scaffold (carries an SPDX header; exempted | ||
| # from RAT for setups that don't scan Markdown headers). | ||
| AGENTS.md | ||
| SECURITY.md |
Summary
Apache CloudStack's security model is project-wide, not per-repository. This PR replaces the earlier standalone
draft-THREAT-MODEL.mdin this repo with the standard discoverability chain so automated scanners find the one canonical model:AGENTS.md→SECURITY.md→ the project-wide model athttps://github.com/apache/cloudstack/blob/main/THREAT_MODEL.mdThe model lives in
apache/cloudstack(see apache/cloudstack#13293); this repo inherits it via the pointer above rather than duplicating it — per the PMC's direction on #13293 to converge on the parent model first. The link resolves once that model lands onmain. A thin repo-specific addendum can be added here later if this component needs one.AGENTS.mdcarries a one-line SPDX header (it is read by agents on every session);SECURITY.mdcarries the full ASF header.