ReaperCI Documentation

ReaperCI documentation

Security finding template

  • Finding ID:
  • Title:
  • Reviewer:
  • First observed:
  • Affected commit, release, image digest, and environment:
  • Severity and scoring method:
  • CWE/CVE references, if applicable:
  • Status: open / remediating / ready for retest / closed / risk accepted

Summary and impact

Describe the violated boundary, attacker prerequisites, affected tenants or data, confidentiality/integrity/availability impact, and realistic worst case.

Reproduction

Provide the minimum safe steps, requests, and non-secret evidence. Never include live credentials, customer content, private keys, or unnecessary exploit data.

Root cause

Identify the exact authorization, validation, isolation, lifecycle, or supply-chain failure. Distinguish the root cause from the observed symptom.

Remediation and compensating controls

Record the intended invariant, code/infrastructure change, interim control, owner, target release, and regression coverage.

Retest

Record reviewer, date, fixed commit/image digest, original reproduction result, new negative/positive cases, and final disposition.

Exception, if any

Record business justification, exploitability analysis, scope, monitoring, named approver, expiry date, and the event that forces earlier review. Critical or high findings cannot be accepted for managed GA.