From 808668ecc1cb77261ac54ed87541ce361dfd477e Mon Sep 17 00:00:00 2001
From: Chris Llanwarne <cjllanwarne@gmail.com>
Date: Wed, 21 Aug 2024 17:47:43 -0400
Subject: [PATCH 1/4] Security impact field in templates

---
 .github/ISSUE_TEMPLATE/change-request.yml | 36 +++++++++++++++++++++++
 .github/pull_request_template.md          | 23 +++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 .github/ISSUE_TEMPLATE/change-request.yml
 create mode 100644 .github/pull_request_template.md

diff --git a/.github/ISSUE_TEMPLATE/change-request.yml b/.github/ISSUE_TEMPLATE/change-request.yml
new file mode 100644
index 00000000000..b30f001a607
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/change-request.yml
@@ -0,0 +1,36 @@
+name: Change Request
+description: Tracker issues for new features, enhancements, or configuration changes.
+labels: needs-triage
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What is the change?
+    validations:
+      required: true
+  - type: dropdown
+    id: security-impact
+    attributes:
+      label: Security Impact
+      description: Level of security impact of the change
+      options:
+          - None
+          - Low
+          - Medium
+          - High
+  - type: textarea
+    id: security-impact-description
+    attributes:
+      label: Security Impact Description
+      description: If the impact is not None, please describe the security impact and necessary mitigations
+    validations:
+      required: true
+  - type: checkboxes
+    id: appsec-signoff
+    attributes:
+      label: Appsec Signoff
+      description: If the security impact is High, has the change been reviewed and approved by the Appsec team?
+      options:
+          - label: Reviewed and approved
+            required: false
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 00000000000..56e6b93a168
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,23 @@
+Fixes #<issue_number>.
+
+### Change Description
+
+<!-- What is the purpose of this change? What should reviewers know? -->
+
+### Security Impact
+
+<!-- Please select one of the following -->
+
+- [ ] The security impact will be assessed in this PR description
+- [ ] The security impact is assessed in the linked issue
+
+(Reviewers: please confirm the security impact before approving)
+
+<!-- If the security impact is to be assessed in the PR:
+#### Security Assessment
+- [ ] Either: the security impact will be assessed in this PR description:
+    - [ ] This change has a high security impact
+      - [ ] The impact has been assessed and approved by appsec
+    - [ ] This change has a medium security impact
+    - [ ] This change has a low security impact
+-->

From f1972d5ee6c487d2ba7bec17919d3fa4c1d7b215 Mon Sep 17 00:00:00 2001
From: Chris Llanwarne <cjllanwarne@gmail.com>
Date: Wed, 21 Aug 2024 18:28:42 -0400
Subject: [PATCH 2/4] Oops, didn't finish

---
 .github/pull_request_template.md | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 56e6b93a168..46cb38c3069 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -15,9 +15,14 @@ Fixes #<issue_number>.
 
 <!-- If the security impact is to be assessed in the PR:
 #### Security Assessment
-- [ ] Either: the security impact will be assessed in this PR description:
-    - [ ] This change has a high security impact
-      - [ ] The impact has been assessed and approved by appsec
-    - [ ] This change has a medium security impact
-    - [ ] This change has a low security impact
+
+- [ ] This change has a high security impact
+  - [ ] The impact has been assessed and approved by appsec
+- [ ] This change has a medium security impact
+- [ ] This change has a low security impact
+- [ ] This change has no security impact
+
+Please describe the security impact and necessary mitigations here.
+For none/low impact: a quick one/two sentence justification of the low rating is sufficient.
+For medium/high impact: please provide a detailed description of the impact and the mitigations in place.
 -->

From 3ebd4234035be5bd59a6e6e5622211ebba693ec9 Mon Sep 17 00:00:00 2001
From: Chris Llanwarne <cjllanwarne@gmail.com>
Date: Thu, 5 Sep 2024 10:35:43 -0400
Subject: [PATCH 3/4] Refactored issue security assessments to be just about
 config changes, made PR security assessment required and added some examples.

---
 .github/ISSUE_TEMPLATE/change-request.yml | 12 ++++++-----
 .github/pull_request_template.md          | 26 ++++++++++-------------
 2 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/change-request.yml b/.github/ISSUE_TEMPLATE/change-request.yml
index b30f001a607..7cd627d4ed1 100644
--- a/.github/ISSUE_TEMPLATE/change-request.yml
+++ b/.github/ISSUE_TEMPLATE/change-request.yml
@@ -1,6 +1,6 @@
-name: Change Request
-description: Tracker issues for new features, enhancements, or configuration changes.
-labels: needs-triage
+name: Configuration Change
+description: Tracker issues for configuration changes
+labels: [ needs-triage ]
 body:
   - type: textarea
     id: description
@@ -15,15 +15,17 @@ body:
       label: Security Impact
       description: Level of security impact of the change
       options:
-          - None
+          - No Impact
           - Low
           - Medium
           - High
+    validations:
+      required: true
   - type: textarea
     id: security-impact-description
     attributes:
       label: Security Impact Description
-      description: If the impact is not None, please describe the security impact and necessary mitigations
+      description: If the impact is No Impact or Low, justify that rating. If the impact is Medium or High, describe the security impact and any mitigations.
     validations:
       required: true
   - type: checkboxes
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 46cb38c3069..1af16bfb980 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -4,25 +4,21 @@ Fixes #<issue_number>.
 
 <!-- What is the purpose of this change? What should reviewers know? -->
 
-### Security Impact
-
-<!-- Please select one of the following -->
-
-- [ ] The security impact will be assessed in this PR description
-- [ ] The security impact is assessed in the linked issue
-
-(Reviewers: please confirm the security impact before approving)
-
-<!-- If the security impact is to be assessed in the PR:
-#### Security Assessment
+### Security Assessment
 
 - [ ] This change has a high security impact
-  - [ ] The impact has been assessed and approved by appsec
+  - [ ] Required: and the impact has been assessed and approved by appsec
 - [ ] This change has a medium security impact
 - [ ] This change has a low security impact
 - [ ] This change has no security impact
 
+(Reviewers: please confirm the security impact before approving)
+
+#### Description
+
 Please describe the security impact and necessary mitigations here.
-For none/low impact: a quick one/two sentence justification of the low rating is sufficient.
-For medium/high impact: please provide a detailed description of the impact and the mitigations in place.
--->
+
+- For none/low impact: a quick one/two sentence justification of the rating.
+  - Example: "Docs only", "Low-level refactoring of non-security code", etc.
+- For medium/high impact: provide a description of the impact and the mitigations in place.
+  - Example: "New UI text field added in analogy to existing elements, with input strings escaped and validated against code injection"

From 80b4fdf908368ca45368d4af0c94a3ce9af9d80f Mon Sep 17 00:00:00 2001
From: Chris Llanwarne <cjllanwarne@gmail.com>
Date: Thu, 5 Sep 2024 11:15:57 -0400
Subject: [PATCH 4/4] Slightly more streamlined

---
 .github/pull_request_template.md | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 1af16bfb980..e5f983a02e3 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,8 +1,6 @@
-Fixes #<issue_number>.
-
 ### Change Description
 
-<!-- What is the purpose of this change? What should reviewers know? -->
+Fixes #<issue_number>.
 
 ### Security Assessment
 
@@ -12,13 +10,11 @@ Fixes #<issue_number>.
 - [ ] This change has a low security impact
 - [ ] This change has no security impact
 
-(Reviewers: please confirm the security impact before approving)
-
-#### Description
-
-Please describe the security impact and necessary mitigations here.
+Description of the security impact and necessary mitigations:
 
 - For none/low impact: a quick one/two sentence justification of the rating.
   - Example: "Docs only", "Low-level refactoring of non-security code", etc.
 - For medium/high impact: provide a description of the impact and the mitigations in place.
   - Example: "New UI text field added in analogy to existing elements, with input strings escaped and validated against code injection"
+
+(Reviewers: please confirm the security impact before approving)
\ No newline at end of file