Skip to content

chore(agents): defines a new AGENTS.md focused on reporting vulnerabilities#1680

Merged
lukaszlenart merged 4 commits into
mainfrom
chore/agentsmd
May 15, 2026
Merged

chore(agents): defines a new AGENTS.md focused on reporting vulnerabilities#1680
lukaszlenart merged 4 commits into
mainfrom
chore/agentsmd

Conversation

@lukaszlenart
Copy link
Copy Markdown
Member

@lukaszlenart lukaszlenart commented May 6, 2026

No description provided.

@lukaszlenart lukaszlenart requested a review from rgielen May 6, 2026 06:43
@lukaszlenart lukaszlenart marked this pull request as ready for review May 6, 2026 06:45
@ppkarwasz
Copy link
Copy Markdown
Member

ppkarwasz commented May 6, 2026

Hi @lukaszlenart,

This looks good, but shouldn't CLAUDE.md and AGENTS.md be merged? As far as I know both are read by Claude, but the latter name is more vendor-neutral.

It might also be useful to expand the instruction for PRs and ask the agent to first check if the PR solves some security issue. If that is the case the PR should not be submitted, but the issue should be reported.

@sepe81
Copy link
Copy Markdown
Contributor

sepe81 commented May 6, 2026

Hello @lukaszlenart,

One suggestion: the pre-reporting steps, assessment checklist, and report requirements would also be useful to human researchers, not only AI agents. SECURITY.md could be a better place for this content — GitHub shows it on the Security tab and it would help anyone, with or without AI tooling. It would also avoid the same guidance living in two files that could go out of sync.

If the content moves to SECURITY.md, the question is whether AGENTS.md is still needed. It could be dropped entirely, or replaced with a soft-link to CLAUDE.md, which the project already has for AI assistants.

For Claude Code specifically, a .claude/agents/vulnerability-reporter.md subagent (the project already has several in .claude/agents/) could fetch SECURITY.md and the security bulletins at runtime and guide a researcher through the checklist interactively — more useful than a static file.

Proposed structure:

  • SECURITY.md — gets all the pre-reporting guidance; one source of truth
  • AGENTS.md — dropped, or a soft-link to CLAUDE.md
  • .claude/agents/vulnerability-reporter.md — interactive Claude Code agent

@lukaszlenart
Copy link
Copy Markdown
Member Author

lukaszlenart commented May 9, 2026

As far I know Claude Code doesn't support AGENTS.md directly, anyway I can add a reference from CLAUDE.md to AGENTS.md and SECURITY.md.

And I would keep AGENTS.md with a strong emphasis on security vulnerabilities reporting as I observe a large number of reports generated by Agents which basically overwhelms our abilities to analyze them. These days anyone with AI aspires to be a security specialist :\

@lukaszlenart
Copy link
Copy Markdown
Member Author

lukaszlenart commented May 13, 2026

@ppkarwasz @sepe81 I made some changes to treat SECURITY.md as the source of truth, updated AGENTS.md and CLAUDE.md to reference it. Let me know if this lean towards your expectations.

rgielen
rgielen approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rgielen rgielen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

ppkarwasz
ppkarwasz reviewed May 13, 2026
View reviewed changes
Comment thread SECURITY.md Outdated
@lukaszlenart @claude
chore(security): clarify public GitHub repo PoC counts as disclosure
dcc2a25 
Per @ppkarwasz review on #1680: expand the PoC bullet to make explicit
that pushing a PoC to a public GitHub repo, gist, fork, or branch is
public disclosure, and note that private repos require granting access
to each PMC member individually.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 14, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@lukaszlenart lukaszlenart merged commit 3432433 into main May 15, 2026
10 checks passed
@lukaszlenart lukaszlenart deleted the chore/agentsmd branch May 15, 2026 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rgielen rgielen rgielen approved these changes

@jogep jogep jogep approved these changes

@aleksandr-m aleksandr-m Awaiting requested review from aleksandr-m

@yasserzamani yasserzamani Awaiting requested review from yasserzamani

@sdutry sdutry Awaiting requested review from sdutry

@cnenning cnenning Awaiting requested review from cnenning

@kusalk kusalk Awaiting requested review from kusalk

+2 more reviewers

@ppkarwasz ppkarwasz ppkarwasz left review comments

@sepe81 sepe81 sepe81 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@lukaszlenart @ppkarwasz @sepe81 @rgielen @jogep