This is an automated email from the ASF dual-hosted git repository.
dongjoon-hyun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/spark-kubernetes-operator.git
The following commit(s) were added to refs/heads/main by this push:
new 13a3cd2 [SPARK-57280] Add `SECURITY.md` for scan-agent discoverability
13a3cd2 is described below
commit 13a3cd243bc5c394a46331aa6b78e52ae31f6087
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Fri Jun 5 08:57:37 2026 -0700
[SPARK-57280] Add `SECURITY.md` for scan-agent discoverability
### What changes were proposed in this pull request?
This PR aims to add `SECURITY.md` for scan-agent discoverability.
### Why are the changes needed?
Like Apache Spark main repository, we had better provide this.
- https://github.com/apache/spark/blob/master/SECURITY.md
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Manual review.
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #701 from dongjoon-hyun/SPARK-57280.
Authored-by: Dongjoon Hyun <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
---
AGENTS.md | 6 ++++++
SECURITY.md | 13 +++++++++++++
2 files changed, 19 insertions(+)
diff --git a/AGENTS.md b/AGENTS.md
index 94e0818..fb26991 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -136,3 +136,9 @@ JaCoCo. Run it before pushing; CI runs the same matrix on
Java 21 / 25 / 26 (x86
- Write PR descriptions in English following
[.github/PULL_REQUEST_TEMPLATE](.github/PULL_REQUEST_TEMPLATE), and follow
the
[Spark contributing guide](https://spark.apache.org/contributing.html).
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md` for the
project's threat model, in-scope / out-of-scope declarations, and known
non-findings before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..51419b0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security policy
+
+## Reporting a vulnerability
+
+To report a security vulnerability in apache/spark-kubernetes-operator, follow
the ASF security process at <https://www.apache.org/security/>. Reports can be
sent privately to [email protected] or to [email protected].
+
+## Threat model
+
+This repository extend K8s resource manager to manage Apache Spark
applications via Operator Pattern. Apache Spark's security guidance for
operators — covering authentication, encryption, access control, Kerberos
integration, trust boundaries, environmental assumptions, security properties
provided and not provided, and downstream operator responsibilities — is
documented at:
+
+<https://spark.apache.org/docs/latest/security.html>
+
+Automated security scanning agents should consult that document for the
project's in-scope / out-of-scope declarations before reporting issues.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
