Add threat model + security-model discoverability (AGENTS.md → SECURITY.md → THREAT_MODEL.md)#7214
Open
potiuk wants to merge 3 commits into
Open
Add threat model + security-model discoverability (AGENTS.md → SECURITY.md → THREAT_MODEL.md)#7214potiuk wants to merge 3 commits into
potiuk wants to merge 3 commits into
Conversation
…TY.md → THREAT_MODEL.md) Generated-by: Claude Code
Generated-by: Claude Opus 4.8 (1M context)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a threat model + security-model discoverability for Apache Hop
This PR adds an initial threat model for
apache/hopand wires up thestandard discoverability chain so automated security tooling can mechanically
find it:
THREAT_MODEL.md— a v1 draft threat model authored by the ASF SecurityTeam for the Hop PMC to review.
SECURITY.md— points reporters at the threat model and the ASF securityreporting process.
AGENTS.md— aSecuritysection linkingSECURITY.md → THREAT_MODEL.mdso an automated reviewer can follow the chain.
Please read this as a proposal to react to, not a finished document
Following up on the mailing-list thread (thanks @hansva for the go-ahead to
make the initial files): this is a first draft built from public artefacts
only — the README and the repository structure. Almost every security
claim is tagged
*(inferred)*and has a matching open question in §14.The PMC is the decision-maker; please correct, reject, or refine any of
it.
The highest-value things to confirm or correct (all in §14):
the remote-execution REST/web surface? Can a default deployment accept
unauthenticated remote run requests, or is auth required / is it bound to
localhost by default?
(incl. scripting/exec steps) by design and is not a sandbox; the pipeline
author + operator are trusted.
driver/dependency CVEs.
that you consider non-findings? (e.g. the scripting/exec transforms.)
The point of the model is to let a triager (or an automated scan) classify an
inbound finding as valid / out-of-model / disclaimed-by-design and cite a
section — and to cut false-positive noise (the
§11aknown-non-findings listespecially).
This is part of an automated agentic security-scan pilot the ASF Security team
is running; a discoverable threat model lets the scan focus on real issues and
suppress the by-design ones.