From 06f0fe728f86f6969176082680fbf37ac2b809d0 Mon Sep 17 00:00:00 2001
From: Bill Berry <wberry@microsoft.com>
Date: Sat, 28 Mar 2026 10:37:42 -0700
Subject: [PATCH] feat(security-identity): add security review gate via
 CODEOWNERS, PR template, and label
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- add security-sensitive path entries to CODEOWNERS for SECURITY.md, 010-security-identity, deploy
- add Security Review checklist section to PR template with 5 security checks
- replace stale MegaLinter reference with generic lint checks pass item
- create security-reviewed label for PRs touching security-sensitive paths

🔒 Fixes #171 - Generated by Copilot
---
 .github/CODEOWNERS               |  5 +++++
 .github/PULL_REQUEST_TEMPLATE.md | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 04704042..575e1e4e 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -49,3 +49,8 @@
 
 # Security
 /project-security-plans/ @microsoft/edge-ai-core-dev
+
+# Security-sensitive paths (PRs require security-reviewed label before merge)
+/SECURITY.md @microsoft/edge-ai-core-dev
+/src/000-cloud/010-security-identity/ @microsoft/edge-ai-core-dev
+/deploy/ @microsoft/edge-ai-core-dev
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 04b66192..fce4bfa7 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -46,7 +46,20 @@
 - [ ] I have run `az bicep format` on all Bicep code
 - [ ] I have run `az bicep build` to validate all Bicep code
 - [ ] I have checked for any sensitive data/tokens that should not be committed
-- [ ] I have run MegaLinter on my code (`mega-linter-runner`)
+- [ ] Lint checks pass (run applicable linters for changed file types)
+
+## Security Review
+<!-- Required for PRs touching security-sensitive paths:
+     - SECURITY.md
+     - src/000-cloud/010-security-identity/
+     - deploy/
+     PRs modifying these paths require the `security-reviewed` label before merge. -->
+
+- [ ] No credentials, secrets, or tokens are hardcoded or logged
+- [ ] RBAC and identity changes follow least-privilege principles
+- [ ] No new network exposure or public endpoints introduced without justification
+- [ ] Dependency additions or updates have been reviewed for known vulnerabilities
+- [ ] Container image changes use pinned digests or SHA references
 
 ## Additional Notes
 <!-- Add any other context about the PR here -->