Merge pull request #8 from DataDog/update-contributing-guide-and-tools

Update contributing guide and tools

Author: sethsec

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,27 +1,52 @@
 ---
-name: Bug report 
-about: Create a bug report in Github
-title: ''
-labels: ''
+name: Bug Report
+about: Report an error in the website, documentation, or existing path data
+title: '[BUG] '
+labels: 'bug'
 assignees: ''
-
 ---
 
-## Categorization 
+## Bug Description
+
+**What's wrong?**
+<!-- A clear and concise description of the bug -->
+
+
+## Location
+
+**Where is the issue?**
+- [ ] Website functionality
+- [ ] Existing path data (incorrect information)
+- [ ] Documentation (README, CONTRIBUTING, etc.)
+- [ ] Validation scripts
+- [ ] Other:
+
+**Specific file or page affected:**
+<!-- e.g., data/paths/iam/iam-001.yaml or https://pathfinding.cloud/paths/iam-001 -->
+
+
+## Details
+
+**Steps to Reproduce** *(for website/script bugs)*
+1.
+2.
+3.
+
+**Expected Behavior**
+<!-- What should happen? -->
+
 
-- [ ] New Path
-- [ ] Add / Update / Fix info within an existing path
-- [ ] New Feature / Major Change / Refactor / Optimization
-- [ ] Non path based documentation Update (Readme, etc)
+**Actual Behavior**
+<!-- What happens instead? -->
 
 
-## Description
-A clear and concise description of what the bug is.
+## Environment *(for website/script bugs)*
 
-## Steps to reproduce
+- Browser:
+- OS:
+- Python version (if running scripts):
 
-## Expected behavior
+## Additional Context
 
-## Actual behavior
+<!-- Screenshots, error messages, or other helpful information -->
 
-## Environment

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Questions & Discussions
+    url: https://github.com/DataDog/pathfinding.cloud/discussions
+    about: Ask questions or discuss ideas with the community

.github/ISSUE_TEMPLATE/new-path-idea.md

@@ -0,0 +1,82 @@
+---
+name: New Path Idea
+about: Suggest a new AWS IAM privilege escalation path
+title: '[PATH IDEA] '
+labels: 'new-path'
+assignees: ''
+---
+
+## Path Idea
+
+**Have you discovered or read about an AWS IAM privilege escalation technique?**
+
+Share it here! Don't worry about having all the details - even a rough idea helps. We'll investigate and build out the full documentation.
+
+---
+
+### Required Information
+
+**Name / Permissions Involved** *(required)*
+<!-- What IAM permissions are needed? Use format: iam:PassRole + lambda:CreateFunction -->
+
+
+**Description** *(required)*
+<!-- How does this privilege escalation work? What can an attacker gain? -->
+
+
+**Required Permissions** *(required)*
+<!-- List the minimum IAM permissions needed to exploit this path -->
+-
+-
+
+---
+
+### Optional Information
+
+*Fill in what you know - everything helps!*
+
+**AWS Services Involved**
+<!-- e.g., IAM, Lambda, EC2, etc. -->
+
+
+**Category**
+<!-- Which category best fits? -->
+- [ ] Self-escalation (modify own permissions)
+- [ ] Principal access (gain access to other users/roles)
+- [ ] New PassRole (create resource + pass role)
+- [ ] Existing PassRole (modify existing resources with attached roles)
+- [ ] Credential access (extract credentials from resources)
+
+**Prerequisites**
+<!-- What conditions must exist in the environment for this to work? -->
+
+
+**Exploitation Commands**
+<!-- If you have AWS CLI commands or other steps, include them here -->
+```bash
+
+```
+
+**Where did you find this?**
+<!-- Blog post, research paper, tool source code, personal discovery, etc. -->
+<!-- Include links if available -->
+
+
+**Who should be credited?**
+<!-- If you know who originally discovered this technique -->
+
+
+**Related Paths**
+<!-- Are there similar paths already documented on pathfinding.cloud? -->
+
+
+---
+
+### Additional Context
+
+<!-- Any other information that might be helpful -->
+
+
+---
+
+*Thank you for contributing to pathfinding.cloud! Even rough ideas help expand the community's knowledge of AWS privilege escalation paths.*

.github/workflows/deploy.yml

@@ -33,9 +33,9 @@ jobs:
         run: |
           pip install -r scripts/requirements.txt
 
-      - name: Validate YAML files
+      - name: Validate YAML files (no drafts allowed on main)
         run: |
-          python scripts/validate-schema.py data/paths/
+          python scripts/validate-schema.py data/paths/ --no-draft
 
       - name: Generate JSON files
         run: |

.github/workflows/validate.yml

@@ -28,10 +28,16 @@ jobs:
         run: |
           pip install -r scripts/requirements.txt
 
-      - name: Validate YAML files
+      - name: Validate YAML files (PRs - drafts allowed)
+        if: github.event_name == 'pull_request'
         run: |
           python scripts/validate-schema.py data/paths/
 
+      - name: Validate YAML files (main branch - no drafts)
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        run: |
+          python scripts/validate-schema.py data/paths/ --no-draft
+
       - name: Comment on PR (on failure)
         if: failure() && github.event_name == 'pull_request'
         uses: actions/github-script@v7
@@ -44,14 +50,32 @@ jobs:
               body: '❌ Schema validation failed. Please check the validation errors above and fix your YAML files according to the [schema documentation](../blob/main/SCHEMA.md).'
             })
 
+      - name: Check for draft paths
+        if: success() && github.event_name == 'pull_request'
+        id: check-drafts
+        run: |
+          DRAFT_COUNT=$(grep -rl "status: draft" data/paths/ 2>/dev/null | wc -l | tr -d ' ')
+          echo "draft_count=$DRAFT_COUNT" >> $GITHUB_OUTPUT
+          if [ "$DRAFT_COUNT" -gt 0 ]; then
+            echo "Found $DRAFT_COUNT draft path(s)"
+            echo "draft_files<<EOF" >> $GITHUB_OUTPUT
+            grep -rl "status: draft" data/paths/ >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          fi
+
       - name: Comment on PR (on success)
         if: success() && github.event_name == 'pull_request'
         uses: actions/github-script@v7
         with:
           script: |
+            const draftCount = '${{ steps.check-drafts.outputs.draft_count }}';
+            let body = '✅ All YAML files passed schema validation!';
+            if (parseInt(draftCount) > 0) {
+              body += `\n\n📝 **Note:** This PR contains ${draftCount} draft path(s) with \`status: draft\`. A maintainer will enhance these before merging.`;
+            }
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: '✅ All YAML files passed schema validation!'
+              body: body
             })

CLAUDE.md

@@ -194,6 +194,7 @@ For complete field specifications, see [SCHEMA.md](SCHEMA.md).
 
 | Field | Type | Quick Description | Details |
 |-------|------|-------------------|---------|
+| `status` | enum | `draft` for partial submissions, omit for complete | [CONTRIBUTING.md](CONTRIBUTING.md#option-2-submit-a-draft-pr) |
 | `prerequisites` | object/array | Conditions required for escalation | [SCHEMA.md](SCHEMA.md#prerequisites-object-or-array) |
 | `limitations` | string | When admin vs limited access is achieved | [SCHEMA.md](SCHEMA.md#limitations-string-optional) |
 | `references` | array | External links and documentation | [SCHEMA.md](SCHEMA.md#references-array-of-objects) |
@@ -268,6 +269,21 @@ Can you task the detection-tools, learning-environments, add-vis, and attributio
 - Exploitation steps are numbered sequentially from 1
 - No unexpected fields
 
+### Draft Mode
+
+The validation script supports draft submissions with relaxed requirements:
+
+```bash
+# Normal mode - allows drafts (for PRs)
+python scripts/validate-schema.py data/paths/
+
+# Strict mode - no drafts allowed (for main branch)
+python scripts/validate-schema.py data/paths/ --no-draft
+```
+
+**Draft paths** (`status: draft`) only require: id, name, category, services, permissions.required, description
+**Complete paths** (no status) require all fields including exploitationSteps, recommendation, discoveryAttribution
+
 ## Website Generation
 
 The website loads data from `docs/paths.json`, which is generated from YAML files: