docs: Update SECURITY.md

[jannfis]

What does this PR do / why we need it:

Update argocd-agent's security policy to let people know how to report vulnerabilities in a confidential manner, and how we will handle them.

Which issue(s) this PR fixes:

Fixes #597

How to test changes / Special notes to the reviewer:

Checklist

• Documentation update is required by this PR (and has been updated) OR no documentation update is required.

Summary by CodeRabbit

• Documentation
  • Adds a formal, versioned security policy titled "Security Policy for argocd-agent" (Policy version 1.0, 2025/11/05) and renames the main header accordingly.
  • Adds a Preface describing the project's security commitment.
  • Declares support: only the latest minor release receives security fixes (no back-ports).
  • Expands vulnerability disclosure into a confidential reporting process, GitHub Security Advisories handling, CVE issuance, optional reporter anonymity, and guidance to file known issues as normal bug reports.

[coderabbitai]

Walkthrough

Replaces SECURITY.md with a formal Policy header and Preface; defines that only the latest minor release will receive security fixes (no backports); and specifies a responsible disclosure process using confidential GitHub security issues, triage/coordination, and publication via GitHub Security Advisories with CVE issuance and optional reporter credit/anonymity.

Changes

Cohort / File(s)

Change Summary

Security policy SECURITY.md

Rewrote the security policy: added "Policy version 1.0 (2025/11/05)" and Preface; renamed header to reference argocd-agent; established support rule (only latest minor release receives security fixes; no backports); expanded "Reporting a Vulnerability" into a responsible disclosure workflow (confidential GitHub security issues → triage/acknowledgement → coordination → publish via GitHub Security Advisories with CVE issuance and optional reporter credit/anonymity); guidance to file normal bug reports for non-security issues.

Sequence Diagram(s)

sequenceDiagram
    participant Reporter as Reporter
    participant Repo as Repository Security
    participant Maintainer as Maintainers
    participant Advisory as GitHub Security Advisory / CVE

    Reporter->>Repo: Submit confidential security issue
    Note right of Repo `#DDEBF7`: Triage & acknowledge (public/private timeline)
    Repo->>Maintainer: Share vulnerability details privately
    Maintainer->>Repo: Propose fix & disclosure timeline
    alt Fix accepted
        Maintainer->>Advisory: Publish advisory & request CVE
        Advisory->>Reporter: Provide advisory link & credit/anonymity option
    else More info / coordination
        Maintainer->>Reporter: Request details / coordinate timeline
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Single documentation file changed but alters support semantics and disclosure workflow.
• Review focus:
  • Exact wording of "latest minor release only" and support implications.
  • Confidential reporting link and advisory/CVE process wording.
  • Consistent project name usage and header formatting.

Suggested reviewers

• jgwest
• mikeshng

Poem

🐰 I found a policy, neat and bright,
I hop to guard the code at night.
Send your secrets, we'll triage true,
We’ll publish advisories and CVEs too,
The freshest branch gets fixes first—🥕

Pre-merge checks and finishing touches

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs: Update SECURITY.md' is concise and accurately reflects the main change of updating the security policy documentation.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from issue #597: establishes a responsible vulnerability disclosure process, commits to issuing CVEs and security advisories, and updates the security policy accordingly.
Out of Scope Changes check	✅ Passed	All changes are directly related to updating the security policy as specified in issue #597; no out-of-scope modifications detected.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jannfis-patch-1

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f1bd8af and 61dc6c3.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-31T10:37:27.987Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:27.987Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• SECURITY.md

🪛 LanguageTool

SECURITY.md

[style] ~11-~11: This is not the usual sequence for adjectives that have no special emphasis.
Context: .... ## Supported Versions Only the most recent minor version (e.g. 1.0 or 1.1) will receive ...

(EN_ADJ_ORDER)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Analyze (go)
• GitHub Check: Build and push image

🔇 Additional comments (4)

SECURITY.md (4)

1-3: Clean update to header and policy versioning.

The explicit policy version and date make the document's currency clear.

---

5-7: Preface: previous grammar and spelling issues resolved.

All previously flagged issues in this section have been corrected (spelling, adverb form, and gerund usage).

---

9-11: Fix policy clearly stated.

The explicit constraint (latest minor version only, no back-ports) is unambiguous and reasonable for a young project.

---

13-23: Responsible disclosure process: comprehensive and well-structured.

The section successfully addresses the PR objectives:

• Defines clear confidential reporting mechanism (line 17: link text now descriptive) ✓
• Commits to CVE issuance and security advisories (line 21) ✓
• Offers reporter credit with anonymity option (line 21) ✓
• Distinguishes known issues from confidential reports (line 23) ✓

Previous issues (descriptive link text, "out-of-office" hyphenation) have been fixed.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

SECURITY.md (3)

11-11: Simplify wording in Supported Versions.

The phrase "for the time being" is flagged as wordy and could be replaced with a more direct term such as "currently." Additionally, the hyphenated term "back-ports" is non-standard; the industry-standard term is "backports" (single word).

-Only the most recent minor release (e.g. 1.0 or 1.1) will receive security fixes for the time being, and no back-ports will be made.
+Only the most recent minor release (e.g. 1.0 or 1.1) will receive security fixes currently, and no backports will be made.

---

17-17: Use descriptive link text.

The link text "here" is not descriptive. Consider using a more explicit phrase that clearly indicates what will happen when clicked.

-Please report vulnerabilities confidentially using GitHub's private security issue feature. You can create such a confidential vulnerability report [here](https://github.com/argoproj-labs/argocd-agent/security/advisories/new).
+Please report vulnerabilities confidentially using GitHub's private security issue feature. You can [create a confidential security advisory](https://github.com/argoproj-labs/argocd-agent/security/advisories/new).

---

19-19: Hyphenate compound adjectives.

"Out of office" should be hyphenated as "out-of-office" when used as a compound adjective before a noun.

-We will do our best to react quickly on your inquiry, and to coordinate a fix and disclosure with you. Sometimes, it might take a little longer for us to react (e.g. out of office conditions), so please bear with us in these cases.
+We will do our best to react quickly on your inquiry, and to coordinate a fix and disclosure with you. Sometimes, it might take a little longer for us to react (e.g. out-of-office conditions), so please bear with us in these cases.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e90cc07 and 29a46ab.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-31T10:37:27.987Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:27.987Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• SECURITY.md

🪛 LanguageTool

SECURITY.md

[style] ~11-~11: This is not the usual sequence for adjectives that have no special emphasis.
Context: .... ## Supported Versions Only the most recent minor release (e.g. 1.0 or 1.1) will receive ...

(EN_ADJ_ORDER)

---

[style] ~11-~11: This phrasing can be wordy. For improved clarity, try opting for something more concise.
Context: ...1.0 or 1.1) will receive security fixes for the time being, and no back-ports will be made. ## Re...

(FOR_THE_TIME_BEING)

---

[grammar] ~19-~19: Use a hyphen to join words.
Context: ... little longer for us to react (e.g. out of office conditions), so please bear wi...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~19-~19: Use a hyphen to join words.
Context: ...ttle longer for us to react (e.g. out of office conditions), so please bear with ...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

SECURITY.md

17-17: Link text should be descriptive

(MD059, descriptive-link-text)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

SECURITY.md (1)

1-23: Security policy substantively addresses the requirements.

The updated SECURITY.md successfully establishes the formal security vulnerability disclosure process and commitment to CVE issuance that were requested in issue #597. The policy clearly outlines:

• Confidential reporting mechanism via GitHub security advisories
• Commitment to publish advisories with CVE issuance
• Versioning constraints for security fixes (only latest minor release)
• Explicit guidance to prevent duplicate reports

This policy enables organizations to adopt the project with confidence in the security support model.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

SECURITY.md (2)

17-17: Use descriptive link text instead of generic "here".

The link text "here" is not descriptive for accessibility and clarity. Provide context about what the link does.

-Please report vulnerabilities confidentially using GitHub's private security issue feature. You can create such a confidential vulnerability report [here](https://github.com/argoproj-labs/argocd-agent/security/advisories/new).
+Please report vulnerabilities confidentially using GitHub's private security issue feature. You can [create a confidential vulnerability report](https://github.com/argoproj-labs/argocd-agent/security/advisories/new).

---

19-19: Hyphenate compound adjective "out-of-office".

Compound adjectives should be hyphenated when they precede a noun.

-We will do our best to react quickly on your inquiry, and to coordinate a fix and disclosure with you. Sometimes, it might take a little longer for us to react (e.g. out of office conditions), so please bear with us in these cases.
+We will do our best to react quickly on your inquiry, and to coordinate a fix and disclosure with you. Sometimes, it might take a little longer for us to react (e.g. out-of-office conditions), so please bear with us in these cases.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29a46ab and 1acada2.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-31T10:37:27.987Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:27.987Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• SECURITY.md

🪛 LanguageTool

SECURITY.md

[style] ~11-~11: This is not the usual sequence for adjectives that have no special emphasis.
Context: .... ## Supported Versions Only the most recent minor release (e.g. 1.0 or 1.1) will receive ...

(EN_ADJ_ORDER)

---

[style] ~11-~11: This phrasing can be wordy. For improved clarity, try opting for something more concise.
Context: ...1.0 or 1.1) will receive security fixes for the time being, and no back-ports will be made. ## Re...

(FOR_THE_TIME_BEING)

---

[grammar] ~19-~19: Use a hyphen to join words.
Context: ... little longer for us to react (e.g. out of office conditions), so please bear wi...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~19-~19: Use a hyphen to join words.
Context: ...ttle longer for us to react (e.g. out of office conditions), so please bear with ...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

SECURITY.md

17-17: Link text should be descriptive

(MD059, descriptive-link-text)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

SECURITY.md (1)

1-23: Policy addresses PR objectives well; addresses blocking issues from #597.

The restructured security policy establishes a responsible vulnerability disclosure process, commits to CVE issuance via GitHub Security Advisories, and provides clear guidance for reporters. This directly resolves the organizational adoption concerns raised in issue #597.

[jannfis]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
  • @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
  • @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[jannfis]

Actionable comments posted: 1

🧹 Nitpick comments (2)

SECURITY.md (2)> 17-17: Use descriptive link text instead of generic "here".

The link text "here" is not descriptive for accessibility and clarity. Provide context about what the link does.

-Please report vulnerabilities confidentially using GitHub's private security issue feature. You can create such a confidential vulnerability report [here](https://github.com/argoproj-labs/argocd-agent/security/advisories/new).
+Please report vulnerabilities confidentially using GitHub's private security issue feature. You can [create a confidential vulnerability report](https://github.com/argoproj-labs/argocd-agent/security/advisories/new).

19-19: Hyphenate compound adjective "out-of-office".
Compound adjectives should be hyphenated when they precede a noun.

-We will do our best to react quickly on your inquiry, and to coordinate a fix and disclosure with you. Sometimes, it might take a little longer for us to react (e.g. out of office conditions), so please bear with us in these cases.
+We will do our best to react quickly on your inquiry, and to coordinate a fix and disclosure with you. Sometimes, it might take a little longer for us to react (e.g. out-of-office conditions), so please bear with us in these cases.

📜 Review details

@coderabbitai Create commitable suggestions for your nit comments

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

SECURITY.md (1)

11-11: Minor: Consider simplifying "for the time being."

The phrase "for the time being" is somewhat redundant in a policy statement. Consider replacing it with more direct phrasing such as "Currently, only the most recent minor release will receive security fixes, and no back-ports will be made." or simply removing the qualifier entirely.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1acada2 and 748e431.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-31T10:37:27.987Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:27.987Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• SECURITY.md

🪛 LanguageTool

SECURITY.md

[style] ~11-~11: This is not the usual sequence for adjectives that have no special emphasis.
Context: .... ## Supported Versions Only the most recent minor release (e.g. 1.0 or 1.1) will receive ...

(EN_ADJ_ORDER)

---

[style] ~11-~11: This phrasing can be wordy. For improved clarity, try opting for something more concise.
Context: ...1.0 or 1.1) will receive security fixes for the time being, and no back-ports will be made. ## Re...

(FOR_THE_TIME_BEING)

---

[grammar] ~19-~19: Use a hyphen to join words.
Context: ... little longer for us to react (e.g. out of office conditions), so please bear wi...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~19-~19: Use a hyphen to join words.
Context: ...ttle longer for us to react (e.g. out of office conditions), so please bear with ...

(QB_NEW_EN_HYPHEN)

🪛 markdownlint-cli2 (0.18.1)

SECURITY.md

17-17: Link text should be descriptive

(MD059, descriptive-link-text)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

🔇 Additional comments (2)

SECURITY.md (2)

1-7: LGTM!

The header, policy version, and preface establish a professional tone and demonstrate the project's commitment to security. The grammar correction on line 7 ("committed to continuously working on improving") appears to have incorporated previous feedback.

---

15-23: Excellent addition: Clear vulnerability disclosure policy.

This section successfully addresses the key blockers identified in issue #597. The policy now explicitly:

• Establishes a responsible disclosure process via confidential GitHub security issues
• Commits to CVE issuance and GitHub Security Advisories
• Provides reporter credit with anonymity options
• Distinguishes known issues from new vulnerabilities

This should significantly enable organizational adoption by removing security policy concerns.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read the SECURITY.md file to see the current content
cat SECURITY.md

Length of output: 1516

---

@jannfis I'll plan these changes for you.

Task: Apply nitpick improvements to SECURITY.md

• Replace generic "here" link text with descriptive text on line 17
• Hyphenate "out of office" to "out-of-office" on line 19

---

⏳ Preparing changes...

[coderabbitai]

A summary of the changes CodeRabbit can apply:

• Update SECURITY.md by changing the link text on line 17 to "You can create a confidential vulnerability report" and hyphenating "out of office conditions" to "out-of-office conditions" to improve link accessibility and correct compound-adjective grammar.

• Update SECURITY.md to rephrase the confidential vulnerability report link (make it inline link text) and adjust wording (change "out of office" to "out-of-office") to improve clarity.

• Created local commit - (🔄 Check again to try again)

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

SECURITY.md (1)

19-19: Hyphenate compound adjective "out-of-office" (duplicate issue from past review).

The phrase "out of office conditions" should use a hyphen when used as a compound adjective: "out-of-office conditions."

Apply this diff to fix the hyphenation:

-Sometimes, it might take a little longer for us to react (e.g. out of office conditions), so please bear with us in these cases.
+Sometimes, it might take a little longer for us to react (e.g. out-of-office conditions), so please bear with us in these cases.

🧹 Nitpick comments (1)

SECURITY.md (1)

11-11: Consider tightening wordy phrasing (optional).

The phrase "for the time being" could be replaced with "currently" or removed to improve conciseness. However, the current phrasing adequately conveys the temporary nature of the policy if you prefer to keep it.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 748e431 and 892b18d.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-31T10:37:27.987Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:27.987Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• SECURITY.md

🪛 LanguageTool

SECURITY.md

[style] ~11-~11: This is not the usual sequence for adjectives that have no special emphasis.
Context: .... ## Supported Versions Only the most recent minor release (e.g. 1.0 or 1.1) will receive ...

(EN_ADJ_ORDER)

---

[style] ~11-~11: This phrasing can be wordy. For improved clarity, try opting for something more concise.
Context: ...1.0 or 1.1) will receive security fixes for the time being, and no back-ports will be made. ## Re...

(FOR_THE_TIME_BEING)

---

[grammar] ~19-~19: Use a hyphen to join words.
Context: ... little longer for us to react (e.g. out of office conditions), so please bear wi...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~19-~19: Use a hyphen to join words.
Context: ...ttle longer for us to react (e.g. out of office conditions), so please bear with ...

(QB_NEW_EN_HYPHEN)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

🔇 Additional comments (3)

SECURITY.md (3)

1-3: Strong opening with formal policy header.

The addition of the title refinement and policy version tracking is professional and appropriate for a security policy document.

---

5-7: Clear security commitment statement.

The Preface effectively establishes the project's security posture and appears to incorporate corrections from the previous review cycle.

---

15-23: Comprehensive vulnerability reporting workflow addresses PR objectives.

The expanded Reporting a Vulnerability section establishes a clear, professional responsible disclosure process with CVE commitment, GitHub Security Advisories integration, and reporter credit options. This directly addresses the concerns raised in issue #597 and should facilitate organizational adoption.

[coderabbitai]

Creating a commit in the current branch to apply the edits...

The changes have been committed to the current branch. Commit ID: f1bd8afb172237157f3f0cef5c97ec486256cb6d

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 892b18d and f1bd8af.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-10-31T10:37:27.987Z

Learnt from: chetan-rns
Repo: argoproj-labs/argocd-agent PR: 632
File: test/data/pre-sync/pre-sync-job.yaml:2-17
Timestamp: 2025-10-31T10:37:27.987Z
Learning: In the argocd-agent repository, Kubernetes manifests under test/data/ directories are test fixtures for e2e testing and do not require production-grade security hardening such as securityContext settings for runAsNonRoot or allowPrivilegeEscalation.

Applied to files:

• SECURITY.md

🪛 LanguageTool

SECURITY.md

[style] ~11-~11: This is not the usual sequence for adjectives that have no special emphasis.
Context: .... ## Supported Versions Only the most recent minor version (e.g. 1.0 or 1.1) will receive ...

(EN_ADJ_ORDER)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build and push image
• GitHub Check: Analyze (go)

🔇 Additional comments (1)

SECURITY.md (1)

1-23: Substantive policy update effectively addresses issue #597.

The rewritten security policy now clearly commits to a responsible disclosure process via confidential GitHub security issues, publication of security advisories through GitHub's feature, issuance of CVEs, and optional reporter credit/anonymity. This directly resolves the blockers identified in issue #597 (absence of responsible disclosure process and no CVE commitment). The support policy limiting fixes to the latest minor version is explicit and actionable.