Skip to content

Agent Skills: open-source-audit + security-audit, and the repo-audits store (ADR-009)#68

Merged
tlmquintino merged 28 commits into
mainfrom
add-pre-publication-agent-skill
Jul 8, 2026
Merged

Agent Skills: open-source-audit + security-audit, and the repo-audits store (ADR-009)#68
tlmquintino merged 28 commits into
mainfrom
add-pre-publication-agent-skill

Conversation

@jameshawkes

@jameshawkes jameshawkes commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Introduces an Agent Skills area to the Codex and the governance plumbing around it: two reusable, model-agnostic AI-agent skills that audit ECMWF repositories, a decision record for where their reports are stored, and the wiring into the existing open-sourcing process.

This started as a single "pre-publication check" skill and grew (through review) into a small, coherent audit framework.

What's included

1. Agent Skills/ framework

  • New top-level Agent Skills/ section, linked from the root README.md.
  • A Format and portability guide: how to author skills that work across Claude, GPT and Gemini (frontmatter is metadata not logic; self-contained Markdown body; generic tooling; no vendor-only keys).

2. open-source-audit skill (was pre-publication-check)

A technical open-source compliance audit, run before a repo is made public and re-runnable any time to confirm continued compliance. Renamed from pre-publication-check to reflect that ongoing role and to align with the Open-Source-Audit report type it produces.

  • Checks: licensing + copied/third-party code & attribution (full-tree + history scan; incompatible-licence or unattributed copied code = FAIL), README & documentation presence, maturity badge, full-history secret scanning, git hygiene, repo structure, contributions/CI, and a mandatory security-audit step.
  • Run modes: initial / follow-up (reads the previous report) / periodic (~12-month re-audit).
  • Capability-based model requirement (no hard-coded model versions).
  • Optional post-publication recommendation to mint a Zenodo DOI.

3. security-audit skill

The concrete implementation of the mandatory security step, risk-tiered and report-only (it gates but never fixes code or flips visibility).

  • Threat-model-driven: attack-class taxonomy (generalised from ECMWF Tensogram's SECURITY_ANALYSIS.md) plus conditional ML-model-loading and LLM/agent classes.
  • Tiered: every repo gets an automated tooling sweep (SAST, osv-scanner/trivy/grype+syft SBOM, per-ecosystem scanners, zizmor, OpenSSF scorecard), manual review of security-sensitive surfaces, supply-chain/CI checks and posture; high-risk repos additionally get a deep dive (adversarial tests + bounded fuzzing + sanitizers/miri).
  • Severity/verdict: CWE-tagged CRITICAL/HIGH/MEDIUM/LOW; READY only at zero open CRITICAL/HIGH.
  • SECURITY.md is a non-blocking recommendation pointing disclosures to https://support.ecmwf.int.

4. ADR-009 — Repository Audit Store (Accepted)

Records the decision to store all audit reports in a dedicated private repo, ecmwf/repo-audits:

  • Layout audits/<org>/<repo>/<YYYY-MM-DDThhmm>-<Type>.md (UTC), covering ecmwf, ecmwf-ifs, ecmwf-training.
  • Machine-readable YAML front-matter incl. the exact audited commit SHA; secret-value redaction; retention for follow-up/periodic re-audits.
  • Writable by Enterprise/organisation owners, who serve as the auditors; readable only internally at ECMWF (never external), so repository admins can consult their own repository's reports.

5. Open-sourcing process wiring

  • Legal/Open-Sourcing-Software.md: run the open-source-audit skill as the final technical gate, file the report in ecmwf/repo-audits, and gate publication on READY audits.

Companion repository (not in this PR)

The private store ecmwf/repo-audits has been created and scaffolded separately (README, SCHEMA.md, CODEOWNERS, report templates, per-org folders, a worked example; secret-scanning + push protection on; main protected). This PR contains only the Codex-side documentation and skills.

Notes for reviewers

  • ADR-009 and ADR-010 are Accepted.
  • The branch name (add-pre-publication-agent-skill) is legacy — the skill is now open-source-audit; the branch was left as-is to preserve this PR.
  • Report/audit-type tokens (Open-Source-Audit, Security-Audit) and audit_type values are stable across the rename.
  • The skills deliberately report and gate; fixes remain the repo owner's responsibility.

SPDX / REUSE licence headers — ADR-010 (added to this PR)

This PR also adds ADR-010, which adopts SPDX short-form licence identifiers and REUSE-compliant file headers as the ECMWF-wide standard going forward, plus the supporting standard and copy-ready templates. Status is Accepted — the standard is in force (new files must use the SPDX/REUSE header; existing files migrate incrementally). A copy-ready CITATION.cff example was also added to Repository Structure/.

Why: ECMWF publishes ~160 repositories under Apache 2.0, and its libraries are routinely copied, vendored, and forked downstream. Today licensing lives in hand-maintained, multi-line boilerplate that is inconsistent across the estate, hard for tools to validate, and not machine-identifiable when a single file leaves its repository — and we have no organisation-wide, machine-readable metadata from which to generate an SBOM. SPDX is an ISO standard (ISO/IEC 5962:2021) and an SBOM format named in EU CRA guidance.

What the standard requires: each ECMWF-authored, commentable file carries two tags —

SPDX-FileCopyrightText: <YEAR> European Centre for Medium-Range Weather Forecasts (ECMWF)
SPDX-License-Identifier: Apache-2.0

Additional copyright holders (e.g. partner-co-developed code — Crown Copyright, Met Office) get an extra SPDX-FileCopyrightText: line. The unmodified Apache text lives in LICENSES/Apache-2.0.txt; a top-level LICENSE holds the Apache text with ECMWF's intergovernmental notice at its tail; NOTICE records ECMWF copyright and that notice plus any third-party attributions; non-commentable files are covered by REUSE.toml. Third-party files keep their own headers. Adoption is incremental.

Advantages: precise and machine-readable; the licence and copyright travel with each file downstream; SBOM-ready (reuse spdx); consistent and easy to bulk-maintain; verifiable via reuse lint; lighter, uniform headers.

Disadvantages / costs: a one-off migration per repository (automatable with reuse annotate); the intergovernmental notice is no longer repeated in every file (preserved in LICENSE and NOTICE); new required artefacts per repository (LICENSES/, NOTICE, and where needed REUSE.toml); ongoing discipline to prevent drift.

Enforcement: pre-commit hooks and CI checks are advised, not mandated; templates for both are included.

Files: ADR/ADR-010-SPDX-License-Identifiers-and-REUSE-Headers.md, ADR/README.md (index), Legal/SPDX-and-REUSE.md (standard), Legal/SPDX-REUSE-templates/ (NOTICE, LICENSE tail, REUSE.toml, pre-commit, CI). The open-source-audit skill now accepts either the SPDX or the legacy prose header and recommends SPDX going forward.

Coordinated Vulnerability Disclosure — ADR-011 + procedure (added to this PR)

Adds ECMWF's coordinated vulnerability disclosure mechanism and workflow, built on GitHub Private Vulnerability Reporting (PVR) and repository security advisories:

  • ADR/ADR-011-Coordinated-Vulnerability-Disclosure-via-PVR.md (Accepted) — records the decision: PVR + advisories are the primary disclosure channel for public repos across ecmwf, ecmwf-ifs, ecmwf-training; Support Portal remains the fallback and the private-repo channel. Distinguishes externally reported vulnerabilities (→ private advisories) from audit reports (→ ecmwf/repo-audits, ADR-009).
  • Guidelines/Security-Vulnerability-Disclosure.md — the end-to-end procedure: private report (PVR primary, SECURITY.md/portal fallback) → triage → fix in a draft advisory + temporary private fork (never on public branches) → coordinated release/embargo → publish with optional CVE (GitHub is a CNA), downstream notification, and reporter credit. Includes enabling/notification requirements, roles (Maintainer, Technical Officer, Head of Development, security managers), and a maintainer checklist. Indexed in Guidelines/README.md and the root README; the Open Source Principles security sentence now links to it.
  • PVR-first SECURITY.md — the template now routes reporters to the repository's Security → Report a vulnerability button first, Support Portal as fallback; the security-audit skill gains an advisory (non-blocking) posture check that PVR is enabled, and recommends tracking confirmed CRITICAL/HIGH findings on already-public repos as draft advisories.

Response targets: acknowledge within 5 business days, initial assessment within 10 business days (matching the SECURITY.md template), remediation target 90 days (shorter if actively exploited).

Admin follow-up (not performed by this PR): an organisation owner must enable PVR organisation-wide on the three orgs. This PR only adds documentation; no GitHub settings were changed.

Note on scope: GitHub's security scanning services (code scanning, secret scanning, dependency alerts) remain out of scope for the audit skills — PVR/advisories are a disclosure channel, not a scan, so this does not conflict with that stance.

Commit history

  • Add open-source (pre-publication) audit skill; link from README; require it before publication.
  • Review: portable skill format, capability-based model wording, documentation-presence check.
  • Extend the skill: complete-codebase copied-code scan, mandatory security audit, re-run modes.
  • Add ADR-009 and wire the skill + Legal doc to the repo-audits store (owners-only while maturing).
  • Add the security-audit skill and convert the security step into a hand-off.
  • Rename pre-publication-checkopen-source-audit (ongoing-compliance framing).
  • Keep the audit skills agnostic to GitHub-native security services.
  • Add ADR-010 (SPDX licence identifiers + REUSE headers), the licensing standard and templates; recommend SPDX going forward.
  • Add ADR-011 + Security Vulnerability Disclosure procedure (PVR); PVR-first SECURITY.md and advisory posture check.

@jameshawkes jameshawkes requested a review from tlmquintino July 2, 2026 11:38
jameshawkes and others added 2 commits July 2, 2026 13:36
…heck

- Open-Sourcing-Software.md: replace hard-coded model names (Opus 4.8 /
  GPT-5.5) with capability-based 'current frontier model' wording, and
  clarify the audit is triggered by a repo owner requesting the GitHub
  Enterprise/org owner to make the repo public, as part of this process.
- SKILL.md: link back to the open-sourcing process, note the operational
  trigger, and state the skill is model-agnostic.
- Agent Skills/README.md: document how to write maximally portable skills
  and how to supply them to Claude, GPT and Gemini agents.
- SKILL.md: add a documentation-presence check (missing = FAIL) tied to the
  'Provide Documentation' principle.
- SKILL.md: make 'European Union' the explicit copyright holder term.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an “Agent Skills” section to Codex and introduces a new pre-publication-check skill to serve as the final technical audit gate before making an ECMWF repository public, and wires this skill into the existing open-sourcing process documentation.

Changes:

  • Add Agent Skills/pre-publication-check skill describing a structured pre-publication technical audit and report format.
  • Link the Agent Skills section from the root README.md.
  • Update open-sourcing guidance to require running the pre-publication check (with a current frontier model) before switching a repository to public.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
README.md Adds a link to the new “Agent Skills” section from the main contents list.
Legal/Open-Sourcing-Software.md Updates the open-sourcing checklist to require the pre-publication agent skill as a final technical gate.
Agent Skills/README.md Introduces the Agent Skills index and documents a portability-focused authoring format.
Agent Skills/pre-publication-check/SKILL.md Adds the detailed pre-publication audit skill, including checks and a standardized reporting template.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Agent Skills/open-source-audit/SKILL.md
Comment thread Agent Skills/open-source-audit/SKILL.md Outdated
- Section 1 (now 'Licensing and third-party code'): scan the complete
  codebase (and history) for copied/inlined code; FAIL on Apache-incompatible
  copied code and on copied code without attribution / missing NOTICE.
- Add mandatory security-audit section (section 9) with hand-off to a planned
  dedicated security-audit skill; absence is a FAIL.
- Add optional post-publication recommendation to mint a Zenodo DOI.
- Add re-run modes (initial / follow-up after fixes / periodic ~12-month
  re-audit) that read the previous report and track prior findings.
- Report format is Markdown with run type, previous-report reference, status
  of previous findings, recommendations and next-review date.
- Clarify reports are retained but never stored in the public repo; a
  designated access-controlled store is to be provided.
- ADR-009 (Proposed): record the decision to store audit reports in the
  private ecmwf/repo-audits repo (access = org/Enterprise owners), with layout
  audits/<org>/<repo>/, UTC-timestamped filenames, YAML front-matter incl.
  audited commit SHA, secret-value redaction, and retention. Add index row.
- SKILL.md: point 'Report storage' and the follow-up run mode at
  ecmwf/repo-audits; specify the path/filename/front-matter and redaction.
- Open-Sourcing-Software.md: file reports in the private store and gate
  publication on READY audits; link ADR-009.
- New Agent Skills/security-audit/SKILL.md: risk-tiered security audit
  (report + gate, owner fixes). Threat model + attack-class taxonomy
  (generalised tensogram A-L plus conditional ML and LLM/agent classes),
  CRITICAL/HIGH-blocking severity model, automated tooling sweep (SAST,
  osv-scanner/trivy/grype+syft SBOM, per-ecosystem scanners, zizmor,
  scorecard), manual sensitive-surface review (deserialization, injection,
  memory safety/FFI, crypto, ML loading), supply chain & CI/CD, OpenSSF-mapped
  posture, and a high-risk deep dive (adversarial tests + bounded fuzzing +
  sanitizers/miri). SECURITY.md is a non-blocking recommendation pointing
  disclosures to https://support.ecmwf.int. Reports filed in ecmwf/repo-audits.
- pre-publication-check SKILL.md section 9: convert from 'planned/interim' to a
  hand-off that runs the security-audit skill; missing audit or open
  CRITICAL/HIGH is a FAIL.
- Agent Skills/README.md: index the new skill.
The audit is not only a one-off pre-publication gate: it can be re-run any time
(initial / follow-up / periodic) to confirm an already-public repository still
complies. Rename the skill to reflect that ongoing-compliance role and to align
its name with the Open-Source-Audit report type it produces.

- Move Agent Skills/pre-publication-check/ -> Agent Skills/open-source-audit/;
  update frontmatter name, title, intro, run-mode wording and report header.
- Update all cross-references: Agent Skills/README.md, security-audit/SKILL.md,
  Legal/Open-Sourcing-Software.md, ADR-009 (also drop now-inaccurate 'planned'
  wording for security-audit; bump Last Updated).
- Report/audit type token (Open-Source-Audit) and audit_type (open-source) are
  unchanged.
@tlmquintino tlmquintino changed the title Add pre-publication agent skill Agent Skills: open-source-audit + security-audit, and the repo-audits store (ADR-009) Jul 8, 2026
- Repository Structure/SECURITY.md: language- and project-agnostic security
  policy that routes vulnerability reports to the ECMWF Support Portal
  (https://support.ecmwf.int); drop-in for any ECMWF repo. Based on ECMWF
  Tensogram's SECURITY.md, with module/language-specific scope removed.
- Repository Structure/README.md: document that each repo must ship a
  SECURITY.md and copy this template.
- security-audit skill: point the SECURITY.md posture recommendation at the
  template.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Comment thread Legal/Open-Sourcing-Software.md Outdated
Comment thread Agent Skills/open-source-audit/SKILL.md Outdated
- open-source-audit: use portable 'grep -riE' with an explicit search root
  instead of GNU-only '\|' alternation in the GPL-reference check.
- open-source-audit: cite Guidelines/External-Contributions.md for the clean
  SemVer 'x.y.z' (no 'v' prefix) production-tag convention.
- open-source-audit: include the required YAML front-matter in the report
  format so it is self-consistent with 'Report storage', the repo-audits
  SCHEMA, and ADR-009.
- Open-Sourcing-Software.md: the security audit now exists and is required —
  drop the 'once available' wording so both audits must be READY.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.

open-source-audit:
- Add Blocker vs Advisory classification: verdict is NOT_READY only for true
  publication blockers (secrets, licence incompatibility, missing licence,
  IPR/provenance, NOT_READY security audit); low-impact hygiene is advisory and
  does not block. Report format gains an 'Advisory' section; fail_count counts
  blockers only.
- Header check: scan git-tracked files (git ls-files); don't flag generated
  artefacts like setuptools_scm _version.py.
- Clarify reuse/scancode are provenance leads, not a gate; REUSE/SPDX is optional
  at ECMWF (prose Apache header is the standard).

security-audit:
- State that the verdict follows the auditor's TRIAGED severity, not the raw tool
  label (e.g. zizmor rating an unpinned first-party reusable workflow 'high').
- High-risk trigger clarified to mean repo-owned parser/native code; using an
  audited upstream lib to read data is a review surface, not a deep-dive trigger.
- Note semgrep --config auto needs metrics on (offer p/... packs); add nbqa
  guidance for notebooks (linter must live in nbqa's env).
@jameshawkes

Copy link
Copy Markdown
Contributor Author

An alternative is to use more of GitHub's built-in security reporting features. It still suggests that audits go to a central repo but I question even that. Maybe everything could just be GHSAs. It should be less admin for org-owners.

Claude's concept:

Consider leaning on GitHub-native security features (and possibly shrinking/replacing the central store)

Broadly +1 on the framework. One thing I'd like us to weigh before we lock in the repo-audits store as the home for everything: GitHub ships a full coordinated-disclosure pipeline for free, and using it would remove a lot of the manual owner bookkeeping this PR currently implies. For context, I checked a few flagship repos (eccodes, cfgrib, earthkit-data, anemoi-core, metview) — private vulnerability reporting is off on all of them, none has a SECURITY.md, and there are no published advisories. So we're currently using none of the native flow; this PR is a good moment to adopt it deliberately.

1. The native disclosure pipeline: PVR → advisory → private fork → CVE → Dependabot

GitHub's mechanism has three layers, and right now the PR only addresses the policy layer:

  • Private Vulnerability Reporting (PVR) — a one-click "Report a vulnerability" button on every repo's Security tab that opens a private draft advisory. Enableable org-wide in a single setting (Org → Settings → Code security → Private vulnerability reporting → enable for all repos). This is the private channel researchers actually look for.
  • Repository Security Advisories (GHSA) — the object PVR feeds into, and one maintainers/tooling can also create directly via API (POST /repos/{owner}/{repo}/security-advisories). An advisory is a private document (description, severity, CWE, affected versions, per-advisory collaborators) that stays private until you choose to publish. Within it you get:
    • a temporary private fork of the public repo to develop and PR-review the fix in private before it's merged/published;
    • a CVE on request — GitHub is a CNA, so we can mint CVE IDs for free without becoming a CNA ourselves;
    • on publish, automatic Dependabot notification of every downstream project that depends on the affected package.

Why this may work better than a Markdown file in a separate repo, specifically for security findings:

  • Right audience. Draft advisories are visible to the repo's admins/maintainers — the people who must fix the issue — instead of an owners-only store they can't see. This quietly resolves the "how do maintainers file into / read a repo they can't access?" problem for the actionable half of the work.
  • It's a fix pipeline, not just a filing cabinet. Private fork + review + CVE + Dependabot is exactly the post-report workflow we'd otherwise have to run by hand.
  • Automatable. The security-audit skill could file each confirmed CRITICAL/HIGH as a draft advisory via the REST API (POST …/security-advisories, then POST …/security-advisories/{ghsa}/forks for the fix fork), rather than pasting it into a report. Note this creates draft advisories (maintainer/tooling action); PVR itself is the human intake channel for external reporters.

Suggested change: have the security-audit skill create draft advisories for confirmed vulnerabilities, and enable PVR org-wide.

2. Org-level SECURITY.md instead of one-per-repo

The Repository Structure change mandates a SECURITY.md in every repo ("copy verbatim"). GitHub's default community health files make that unnecessary: a single SECURITY.md in the org's special .github repo (ecmwf/.github, in its root or .github/) is inherited by every repo that doesn't have its own and surfaced as that repo's security policy. We already rely on exactly this mechanism for the org-level PULL_REQUEST_TEMPLATE.md — the open-source-audit skill even codifies "the org template applies automatically when the repo has none."

What that buys us:

  • One source of truth for the disclosure route — change the process once, not across N repos.
  • No per-repo file bloat and no verbatim-copy drift.
  • It drives the "Report a vulnerability" UX and the Security-policy tab everywhere at once.

Caveat: defaults are per-org, so we'd add the file to ecmwf/.github, ecmwf-ifs/.github, and ecmwf-training/.github (the three orgs the ADR already scopes) — three files total vs. one-per-repo. It's not physically copied into repos (won't appear in clones/tarballs); it's surfaced in the GitHub UI. If we specifically need the file present in the tree, the per-repo copy stays — but the stated purpose here is UI-discoverability, which the org default fully serves.

Also worth reconciling: Repository Structure says SECURITY.md is mandatory, but the security-audit skill (§8) says its absence is "a LOW recommendation, never a FAIL." Let's pick one — I'd make it an org-default (present everywhere by inheritance) and keep the skill's "recommendation" wording.

3. Route reporters away from public issues at the point of filing

Complementary to SECURITY.md, an issue-template chooser config nudges people to the private channel right when they're about to open an issue. In .github/ISSUE_TEMPLATE/config.yml:

blank_issues_enabled: false
contact_links:
  - name: Report a security vulnerability
    url: https://github.com/ecmwf/<repo>/security/advisories/new   # needs PVR enabled
    about: Please report security issues privately — do not open a public issue.
  - name: ECMWF Support Portal
    url: https://support.ecmwf.int
    about: General support and private vulnerability reporting.

This reinforces SECURITY.md's "do not open a public issue" line by giving reporters the right button in the chooser. The support-portal link is org-generic, so it can live in the org-default .github too; the /security/advisories/new link is repo-specific (and GitHub adds a security link automatically when PVR is on).

4. Could this replace the central repo-audits store entirely?

For vulnerability findings, yes — advisories are the better home, no store needed. The open question is whether we also push the non-vulnerability audit reports (open-source compliance + the security summary/verdict) into unpublished draft advisories and drop the bespoke repo altogether. It's technically possible (an advisory body is just private Markdown you never publish), and it would remove the admin headache of owners copying reports in and out. But advisories aren't designed for audits, and the caveats are real:

  • Loss of org-wide reporting — advisories are siloed per repo; there's no native "show me every repo's latest verdict / next-review date."
  • Loss of diffable history — a version-controlled corpus lets follow-up/periodic runs diff against the previous report; advisories are discrete tickets, not a git history.
  • Retention is weaker — advisories can be withdrawn/closed; the ADR wants append-only "kept for posterity."
  • Access inverts the wrong way for compliance reports — advisory visibility (maintainers) is a feature for vulns but the opposite of what we want for compliance/secret-location material the ADR keeps owners-only.
  • Publish-to-CVE footgun — an advisory's headline action is "Publish → public GHSA + CVE." Storing "here are the secret locations in history" one misclick from the CVE database is backwards.

So: clean fit for vulnerabilities; workable-but-awkward for full audit reports. My recommendation is the hybrid — genuine vulns → advisories; the compliance/summary reports + audit trail → a (much smaller) store. And if we keep the store, the admin headache is fixable without dropping it: give the writes to a service identity (a GitHub App scoped to repo-audits, triggered from a workflow_dispatch gated by an owner-approval Environment) and grant repo admins read on their own audits/<org>/<repo>/ subtree — then no human hand-copies anything, and owners' involvement drops to one "Approve" click. ADR-009 already lists read-down as a "maybe later"; the copy-toil is the reason to bring it forward.

If instead we decide to go all-native and drop the store, that's a legitimate call — but let's state in the ADR that we're consciously trading away org-wide reporting, cross-audit diffing, and owners-only tightness, rather than presenting it as a free simplification.

Concrete asks:

  1. Enable PVR org-wide.
  2. Add an org-default SECURITY.md to the three .github repos; drop the per-repo "must copy verbatim" mandate (or downgrade to "override only if versions differ") and align it with the skill's "recommendation" wording.
  3. Add ISSUE_TEMPLATE/config.yml contact_links routing to the security policy / support portal.
  4. Have the security-audit skill file confirmed findings as draft advisories via the REST API.
  5. Re-scope ADR-009 to audit reports only (vulns live in advisories), and either automate the store (service identity + read-down) or explicitly accept the losses of going fully native.

Weak-copyleft deps (MPL-2.0, EPL) are file-level and Apache-compatible — do not
fail them. An UNKNOWN licence usually means missing metadata, not a bad licence;
confirm manually rather than auto-failing.
GitHub's hosted security features (Dependabot, code scanning, secret scanning,
push protection) are orthogonal to these skills — whether ECMWF adopts them is a
separate decision. Reword the skills so they neither depend on nor recommend
enabling those services; the audits run their own scans (gitleaks, semgrep,
pip-audit, osv-scanner, trivy, …) regardless.

- security-audit: replace 'code scanning / secret scanning + push protection /
  Dependabot alerts enabled' posture checks and the 'enable CodeQL/Dependabot/
  secret scanning' follow-up with a tool-agnostic 'CI runs SAST + dependency
  scanning' item; generalise the dependency-update check.
- open-source-audit: generalise the CI security-scanning best-practice item.
- ADR-009: drop the GitHub push-protection reference in the mitigation note.
- Repository Structure: reconcile SECURITY.md wording with the skill — 'should
  contain (recommended)', not 'must … verbatim', consistent with the
  non-blocking recommendation.
@tlmquintino

Copy link
Copy Markdown
Member

Thanks for the very thorough write-up, James. To keep this PR focused: GitHub's own security services — private vulnerability reporting, security advisories/GHSAs, Dependabot, code scanning, secret scanning/push protection — are orthogonal to these skills and out of scope here. Whether we adopt them is a separate decision we can take independently; the skills shouldn't depend on, assume, or recommend them.

So I've made the skills agnostic to those services: they run their own scans (gitleaks, semgrep, bandit, pip-audit, osv-scanner, trivy, scorecard, …) regardless of what's enabled on the repo. I removed the posture checks and follow-ups that assumed native code scanning / secret scanning / Dependabot were enabled, and replaced them with tool-agnostic "CI runs SAST + dependency scanning" items.

I did take the one concrete consistency point you raised: Repository Structure/SECURITY.md is now "should contain (recommended)", explicitly aligned with the security-audit skill's non-blocking recommendation (no more "must … verbatim" vs "never a FAIL" mismatch).

The larger ideas — advisories as the home for vulnerabilities, an org-default SECURITY.md in the .github repos, issue-template routing, and re-scoping ADR-009 around advisories — are reasonable but belong to that separate GitHub-native-security discussion rather than this skills/store PR. Happy to pick them up there.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.

Coordinated Vulnerability Disclosure workflow implementing ADR-011: PVR as the
primary private reporting channel on public repos (Support Portal / SECURITY.md
as fallback), triage -> fix in a draft advisory + temporary private fork ->
coordinated release -> publish with CVE and reporter credit. Includes scope
(ecmwf, ecmwf-ifs, ecmwf-training), enabling/notification requirements, roles,
response targets (5/10 business days, 90-day remediation), a maintainer
checklist, and a note distinguishing reported vulnerabilities (advisories) from
audit reports (repo-audits store). Indexed in Guidelines/README.md and the root
README; the Open Source Principles security sentence now links to it.
…o PVR-first

- Repository Structure/SECURITY.md: route reporters to GitHub private
  vulnerability reporting first (Security tab -> Report a vulnerability), with
  the Support Portal as fallback; response promises unchanged (5/10 business
  days).
- Repository Structure/README.md: Security Policy section notes the PVR-first
  routing and links the Security Vulnerability Disclosure procedure.
- security-audit skill: SECURITY.md posture item now reflects PVR-first per the
  procedure; new advisory (non-blocking) posture check that PVR is enabled on
  public repos; follow-ups bullet updated; for already-public repos, confirmed
  CRITICAL/HIGH findings should be tracked as draft security advisories per the
  procedure (skill remains report-only).
@tlmquintino

Copy link
Copy Markdown
Member

Follow-up: by direction of the repo owner, this PR now adopts the PVR/advisories part of your proposal for vulnerability disclosure — see ADR-011 and the new Guidelines/Security-Vulnerability-Disclosure.md: PVR is the primary private reporting channel on public repos, fixes happen in draft advisories + temporary private forks, publication carries CVE + downstream notification + reporter credit, and the SECURITY.md template is now PVR-first (Support Portal fallback). Your ask #1 (enable PVR org-wide) is documented as the required admin follow-up; #4 is partially covered — the security-audit skill now recommends tracking confirmed CRITICAL/HIGH findings on already-public repos as draft advisories (it stays report-only rather than filing them via API).

Unchanged: GitHub's security scanning services remain out of the skills' scope, and audit reports stay in the repo-audits store per ADR-009 (advisories hold externally reported vulnerabilities — the ADR spells out the distinction). Org-default .github SECURITY.md and issue-template routing (#2/#3) remain open follow-ups.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 1 comment.

Comment thread Agent Skills/security-audit/SKILL.md Outdated
'syft . -o spdx-json && grype sbom:-' left grype waiting on empty stdin; use a
pipe instead.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 2 comments.

Comment thread Repository Structure/SECURITY.md Outdated
Comment thread Agent Skills/security-audit/SKILL.md Outdated
- SECURITY.md template: PVR reports are visible to repository administrators
  and security managers, matching the disclosure procedure's wording.
- security-audit: 'syft . -o spdx-json | grype sbom:-' — pipe plus explicit
  stdin directive so the SBOM example runs as written.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 3 comments.

Comment thread Legal/SPDX-REUSE-templates/REUSE.toml
Comment thread Legal/SPDX-REUSE-templates/REUSE.toml
Comment thread Repository Structure/CITATION.cff Outdated
- REUSE.toml template: add <YEAR> to both SPDX-FileCopyrightText annotations,
  consistent with the SPDX/REUSE standard's year requirement.
- CITATION.cff: use explicit <x.y.z> / <YYYY-MM-DD> placeholders so adopters
  cannot accidentally ship the template defaults.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated no new comments.

Revise the access model: the store is writable by GitHub Enterprise /
organisation owners, who serve as the auditors, and readable only internally
at ECMWF (never external). Repository admins can therefore consult their own
repository's reports without running audits. Ripple the wording through the
open-source-audit skill's Report storage section and the open-sourcing
checklist.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 1 comment.

Comment thread Agent Skills/open-source-audit/SKILL.md Outdated
…h root

Without a path operand, non-GNU grep reads stdin; add '.' so the examples scan
the tree when copy/pasted (matching the earlier GPL-grep fix).

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated no new comments.

@tlmquintino tlmquintino merged commit 3c838a7 into main Jul 8, 2026
2 checks passed
@tlmquintino tlmquintino deleted the add-pre-publication-agent-skill branch July 8, 2026 16:45
tlmquintino added a commit that referenced this pull request Jul 8, 2026
ADR-009 was taken by the Repository Audit Store (merged via #68), so this ADR is
renumbered to ADR-012. Resolve the ADR/README.md index conflict (keep 009-011,
add ADR-012), rename ADR-009-JSON-Support.md -> ADR-012-JSON-Support.md, fix the
index link (previously pointed at a non-existent ADR-009-JSON-Schema.md), and
correct the title (number + 'Arcitectural' typo).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants