Security impact field in templates

.github/ISSUE_TEMPLATE/change-request.yml

@@ -0,0 +1,36 @@
+name: Change Request
+description: Tracker issues for new features, enhancements, or configuration changes.
+labels: needs-triage
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What is the change?
+    validations:
+      required: true
+  - type: dropdown
+    id: security-impact
+    attributes:
+      label: Security Impact
+      description: Level of security impact of the change
+      options:
+          - None
+          - Low
+          - Medium
+          - High
+  - type: textarea
+    id: security-impact-description
+    attributes:
+      label: Security Impact Description
+      description: If the impact is not None, please describe the security impact and necessary mitigations
+    validations:
+      required: true
+  - type: checkboxes
+    id: appsec-signoff
+    attributes:
+      label: Appsec Signoff
+      description: If the security impact is High, has the change been reviewed and approved by the Appsec team?
+      options:
+          - label: Reviewed and approved
+            required: false

.github/pull_request_template.md

@@ -0,0 +1,23 @@
+Fixes #<issue_number>.
+
+### Change Description
+
+<!-- What is the purpose of this change? What should reviewers know? -->
+
+### Security Impact
+
+<!-- Please select one of the following -->
+
+- [ ] The security impact will be assessed in this PR description
+- [ ] The security impact is assessed in the linked issue
+
+(Reviewers: please confirm the security impact before approving)
+
+<!-- If the security impact is to be assessed in the PR:
+#### Security Assessment
+- [ ] Either: the security impact will be assessed in this PR description:
+    - [ ] This change has a high security impact
+      - [ ] The impact has been assessed and approved by appsec
+    - [ ] This change has a medium security impact
+    - [ ] This change has a low security impact
+-->