feat: add security finding issue template

[tym83]

Summary

Add a standard issue template for security findings (ISSUE_TEMPLATE/security-finding.yml).

This template is used by maintainers to track scanner findings with structured fields: CVE ID, severity, affected package, components, triage status.

Reporters of new vulnerabilities should use Private Vulnerability Reporting instead.

Fields

• CVE ID, severity, package, versions
• Affected Cozystack components
• Triage status (new / confirmed / false-positive / accepted-risk / in-progress / fixed)
• References

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added a standardized "Security Finding" issue template for reporting scanner findings: includes a prefilled title prefix and default security label, required fields for CVE ID, severity, affected package(s) and components, and vulnerability description, optional fields for installed/fixed versions and references, and a required triage-status dropdown with predefined workflow states.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9984c23f-4ca5-4f7f-be64-74c4fe30efbd

📥 Commits

Reviewing files that changed from the base of the PR and between 5d2ce2f and 74d34b7.

📒 Files selected for processing (1)

• ISSUE_TEMPLATE/security-finding.yml

✅ Files skipped from review due to trivial changes (1)

• ISSUE_TEMPLATE/security-finding.yml

---

📝 Walkthrough

Walkthrough

A new GitHub issue template ISSUE_TEMPLATE/security-finding.yml was added to collect automated security scanner findings with prefilled title prefix, default label, required CVE, severity, affected package/components, description, optional version/references, and a triage status dropdown.

Changes

Cohort / File(s)

Summary

Security Issue Template ISSUE_TEMPLATE/security-finding.yml

Adds a new "Security Finding" issue template: prefills title with [security] , applies security/triage-needed label, includes required fields (CVE ID, severity dropdown: Critical/High/Medium/Low, affected package, affected components, vulnerability description), optional fields (installed/fixed versions, references), and a required triage status dropdown (new, confirmed, false-positive, accepted-risk, in-progress, fixed).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 I found a template snug and neat,
For CVEs and notes to keep,
Dropdowns ready, labels set,
Triage paths well-met —
Hop! Security's organized and sweet. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add security finding issue template' directly and accurately describes the main change: adding a new security finding issue template file (ISSUE_TEMPLATE/security-finding.yml).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a new GitHub issue template, security-finding.yml, designed for maintainers to report automated security scanner findings. The template includes structured fields for vulnerability details, affected components, and triage status. Feedback suggests enhancing the default title format for better consistency and renaming the CVE ID field to a more generic Vulnerability ID to support a wider range of security identifiers such as GHSA.

[gemini-code-assist]

The default title [security] is very minimal. Providing a suggested format in the title field can help maintainers create consistent and searchable issue titles across the repository.

title: "[security] <package>: <vulnerability ID>"

[gemini-code-assist]

The cve field is mandatory, but not all security findings have a CVE ID (e.g., they might have a GHSA ID or be an internal finding). It is better to use a more inclusive label like 'Vulnerability ID' and update the placeholder to reflect this. I also suggest renaming the ID to vulnerability_id for clarity.

  - type: input
    id: vulnerability_id
    attributes:
      label: Vulnerability ID
      placeholder: "e.g., CVE-YYYY-NNNNN or GHSA-xxxx-xxxx-xxxx"
    validations:
      required: true

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ISSUE_TEMPLATE/security-finding.yml (1)

29-69: Add scanner and finding-ID fields for triage traceability.

This will make deduping and audit trails much easier across repeated scanner runs.

Suggested addition

   - type: input
+    id: scanner
+    attributes:
+      label: Scanner source
+      placeholder: "e.g., Trivy, Grype, Dependabot, osv-scanner"
+    validations:
+      required: true
+  - type: input
+    id: finding_id
+    attributes:
+      label: Scanner finding ID (if available)
+      placeholder: "e.g., advisory ID / rule ID / alert URL"
+  - type: input
     id: package
     attributes:
       label: Affected package

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ISSUE_TEMPLATE/security-finding.yml` around lines 29 - 69, Add two new form
fields to the security-finding template to capture scanner metadata: an input
field with id "scanner" (attributes.label: Scanner, placeholder e.g.,
"Trivy/Ghsa/OSV") and an input field with id "finding_id" (attributes.label:
Finding ID, placeholder e.g., "scanner-specific id or hash") so triage and
deduping are possible; mark both with validations.required: true (and keep them
alongside the existing fields such as "package", "installed_version",
"fixed_version", "affected_components", and "description") and ensure their ids
("scanner" and "finding_id") are unique in the YAML so downstream tooling can
reliably reference them.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ISSUE_TEMPLATE/security-finding.yml`:
- Line 10: The template currently hardcodes the private reporting URL
"https://github.com/cozystack/cozystack/security/advisories/new", which can
misroute disclosures if the template is reused; update the line referencing
"Private Vulnerability Reporting" to use repo-agnostic wording such as "use this
repository's Security → Advisories" or explicitly state that submissions should
go to a centralized intake, and replace the hardcoded URL with either a relative
instruction or a configurable placeholder so the advisory destination is not
tied to cozystack/cozystack.

---

Nitpick comments:
In `@ISSUE_TEMPLATE/security-finding.yml`:
- Around line 29-69: Add two new form fields to the security-finding template to
capture scanner metadata: an input field with id "scanner" (attributes.label:
Scanner, placeholder e.g., "Trivy/Ghsa/OSV") and an input field with id
"finding_id" (attributes.label: Finding ID, placeholder e.g., "scanner-specific
id or hash") so triage and deduping are possible; mark both with
validations.required: true (and keep them alongside the existing fields such as
"package", "installed_version", "fixed_version", "affected_components", and
"description") and ensure their ids ("scanner" and "finding_id") are unique in
the YAML so downstream tooling can reliably reference them.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a203d79c-f5c9-41c7-a7c6-8753b3bed468

📥 Commits

Reviewing files that changed from the base of the PR and between 491e776 and 5d2ce2f.

📒 Files selected for processing (1)

• ISSUE_TEMPLATE/security-finding.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Hardcoded private-report URL can misroute security disclosures.

If this template is reused outside cozystack/cozystack, reporters may submit to the wrong advisory destination. Prefer repo-agnostic wording (e.g., “use this repository’s Security → Advisories”) or clearly state centralized intake is intentional.

Suggested edit

-        If you are an external reporter, please use [Private Vulnerability Reporting](https://github.com/cozystack/cozystack/security/advisories/new) instead.
+        If you are an external reporter, please use this repository’s **Private Vulnerability Reporting** flow from the Security tab.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	If you are an external reporter, please use [Private Vulnerability Reporting](https://github.com/cozystack/cozystack/security/advisories/new) instead.
	If you are an external reporter, please use this repository's **Private Vulnerability Reporting** flow from the Security tab.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ISSUE_TEMPLATE/security-finding.yml` at line 10, The template currently
hardcodes the private reporting URL
"https://github.com/cozystack/cozystack/security/advisories/new", which can
misroute disclosures if the template is reused; update the line referencing
"Private Vulnerability Reporting" to use repo-agnostic wording such as "use this
repository's Security → Advisories" or explicitly state that submissions should
go to a centralized intake, and replace the hardcoded URL with either a relative
instruction or a configurable placeholder so the advisory destination is not
tied to cozystack/cozystack.