potiuk opened a new pull request, #496: URL: https://github.com/apache/airflow-steward/pull/496
## Summary - New framework skill **`security-issue-import-from-scan`** — a triage-first on-ramp that converts a security scanner's multi-finding output into security work, reusing `security-issue-triage` + `security-issue-import` for classification. - New **`tools/scan-format/`** adapter contract (pluggable per scanner; **ASVS** as the reference adapter). - A Step-C disposition-bucketing **eval suite** + registration in `docs/labels-and-capabilities.md` (`capability:intake`). ## Motivation Upstreams an adopter override (the Apache Airflow security team's tracker) that was exercised across three real ASVS scan rounds (airflow-core, task-sdk, providers/google). The valuable, repeatable part is the *triage-and-bucket-against-history* discipline — not mechanical tracker creation — and every adopter gets scanned, so this makes the behaviour a framework default rather than a per-adopter override. Key guarantees the skill encodes: - **Triage-first, never auto-import** — the first-pass deliverable is a report; trackers/PRs are opt-in. - **PR-worth / defense-in-depth findings never become trackers** — proposed per entry (open-PR-or-skip); only a genuine Security-Model violation reachable by an in-scope attacker creates a tracker. - **Never blindly trust the scanner; default to 1-by-1** with a mandatory per-finding **evidence** deep-read — scanner severity is a starting hypothesis, not a verdict. - Multi-source (GitHub issues and/or folders), recursive folder discovery, report → secret gist, optional report-back PR (scrubbed of private trackers / unpublished CVEs). ## Migration path for existing adopters Additive and opt-in: the skill is invoked explicitly, and adopters declare their scan sources + enabled scan-format adapters in `<project-config>/project.md`. No existing behaviour changes; nothing to opt out of. ## Test plan - `prek run` green on all touched files (skill-and-tool-validate / capability sync, doctoc, markdownlint, typos, license). - New eval suite `tools/skill-evals/evals/security-issue-import-from-scan/` (Step C, 4 cases) asserts the load-bearing rules: only CVE-worthy creates a tracker; a Medium finding by a trusted actor → by-design; fixed-since-commit → already-fixed. - The generalisation was validated against three real ASVS scans during the originating adopter runs. Generated-by: Claude Code (Claude Opus 4.8) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
