Skip to content

Latest commit

 

History

History

README.md

Table of Contents generated with DocToc

Security workflow skill family

Scope. Works on any project, ASF or not. The ASF intake path (security@, Vulnogram CVE flow) is the default profile; non-ASF adopters swap it for GitHub Security Advisories / a MITRE CNA through the adapter/config layer.

End-to-end automation for an ASF project's security-issue handling process — from inbound report on the project's security@ mailing list through to a published CVE record on cve.org. Eleven skills that compose into the canonical 16-step lifecycle, plus one read-only supporting skill for tracker-stats dashboards (twelve skills total).

Why a framework skill family? The 16-step process exists across the foundation; every project's security team runs essentially the same workflow with project-specific scope labels, mailing-list addresses, milestone formats, and canned-response wording. Lifting the workflow into a project-agnostic framework lets each adopter plug their specifics into <project-config>/ and reuse the skills verbatim.

Skills

Lifecycle skills

Skill Purpose
security-issue-import Import new reports from <security-list> into <tracker>.
security-issue-import-from-pr Open a tracker for a security-relevant fix opened as a public PR.
security-issue-import-from-md Bulk-import findings from a markdown report.
security-issue-import-from-scan Import findings from a security scanner output (Trivy, Grype, etc.) into <tracker>.
security-issue-import-via-forwarder Import reports relayed through the ASF security forwarder when no direct reporter contact exists.
security-issue-triage Propose an initial-triage disposition (VALID / DEFENSE-IN-DEPTH / INFO-ONLY / INVALID / PROBABLE-DUP / FIX-ALREADY-PUBLIC) for each tracker still in Needs triage; opens a discussion comment, never flips the label.
security-issue-sync Reconcile a tracker against its mail thread, fix PR, release train, and archives.
security-cve-allocate Allocate a CVE for a tracker (Vulnogram URL + paste-ready JSON).
security-issue-fix Implement the fix as a public PR in <upstream>.
security-issue-deduplicate Merge two trackers describing the same root-cause vulnerability.
security-issue-invalidate Close a tracker as invalid with a polite-but-firm reporter reply.

Supporting tools

Skill Purpose
security-tracker-stats-dashboard Generate a self-contained HTML dashboard of <tracker> repo statistics (lifecycle bands, opened-vs-untriaged backlog, mean time to triage / first response / fix). Read-only — never modifies tracker state.

Deep documentation

  • process.md — the 16-step lifecycle with Mermaid diagram + per-step description; the label lifecycle state diagram + label reference table. The authoritative process reference.
  • roles.md — who owns which steps (issue triager / remediation developer / release manager), the shared conventions every role observes (keeping the reporter informed, recording status transitions, confidentiality), and the role-by-role workflow walkthroughs.
  • how-to-fix-a-security-issue.md — hands-on guide for a remediation developer picking up a CVE-allocated tracker and shipping the fix.
  • new-members-onboarding.md — onboarding for a new security-team member: tracker access, mail list subscription, expected reading, first triage shadow.
  • threat-model.md — release-blocking threat model for the security skill family: trust boundaries, adversary personas, STRIDE matrix per skill, mitigation cross- reference, residual risk, and the re-audit cadence.
  • forwarder-routing-policy.md — when a tracker has no direct reporter contact (ASF-relay, read-only GHSA, anonymous tip), the skills route reporter-facing communication through the forwarder. The policy defines when that mode applies, the milestone list (events that do get relayed), and the negative list (events that don't — including credit-confirmation questions and regular workflow status).

Adopter contract

The skills resolve project-specific content from the security- workflow files in <project-config>/ — see the adopter scaffold's README.md for the file-by-file index. Required at minimum:

  • project.md — identity, repos, mailing lists, tools
  • canned-responses.md — reporter-facing reply templates
  • scope-labels.md — scope label → CVE product mapping
  • release-trains.md — release-manager attribution
  • title-normalization.md — CVE-title regex cascade

Optional but commonly needed: milestones.md, fix-workflow.md, security-model.md, naming-conventions.md.

Cross-references