This is an automated email from the ASF dual-hosted git repository.
dongjoon-hyun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/spark-connect-swift.git
The following commit(s) were added to refs/heads/main by this push:
new 44bf60b [SPARK-57279] Add `SECURITY.md` for scan-agent discoverability
44bf60b is described below
commit 44bf60b989c2c8bc7dd0f8d8b2c9f635ccc11cbb
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Fri Jun 5 08:59:48 2026 -0700
[SPARK-57279] Add `SECURITY.md` for scan-agent discoverability
### What changes were proposed in this pull request?
This PR aims to add `SECURITY.md` for scan-agent discoverability.
### Why are the changes needed?
Like Apache Spark main repository, we had better provide this.
- https://github.com/apache/spark/blob/master/SECURITY.md
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Manual review.
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #403 from dongjoon-hyun/SPARK-57279.
Authored-by: Dongjoon Hyun <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
---
AGENTS.md | 8 ++++++++
SECURITY.md | 27 +++++++++++++++++++++++++++
2 files changed, 35 insertions(+)
diff --git a/AGENTS.md b/AGENTS.md
index 955682e..c15cc00 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -128,3 +128,11 @@ This repo follows standard Apache Spark process.
- Test failures are usually "no server" or version mismatch, not code bugs —
confirm a Spark Connect server is running and reachable at `SPARK_REMOTE`.
- Keep dependency versions as `exact` pins.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md`
+for the project's threat model, in-scope / out-of-scope
+declarations, and known non-findings before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..f4ac106
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,27 @@
+# Security policy
+
+## Reporting a vulnerability
+
+To report a security vulnerability in apache/spark-connect-swift,
+follow the ASF security process at
+<https://www.apache.org/security/>. Reports can be sent privately
+to [email protected] or to [email protected].
+
+## Threat model
+
+This repository implements the Swift client for the Spark Connect
+RPC protocol. Apache Spark's security guidance for operators is
+documented at:
+
+<https://spark.apache.org/docs/latest/security.html>
+
+That document covers authentication, encryption, access
+control, Kerberos integration, trust boundaries, environmental
+assumptions, security properties provided and not provided,
+and downstream operator responsibilities. The client-side
+trust assumptions for Spark Connect (RPC channel, credential
+material, TLS validation) inherit from that model.
+
+Automated security scanning agents should consult that
+document for the project's in-scope / out-of-scope
+declarations before reporting issues.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
