This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new 03e7d168 docs(spec): sync security-issue-lifecycle to reflect
-from-scan and -via-forwarder skills (#566)
03e7d168 is described below
commit 03e7d168dcd427b63833c8bf35a1218c15364087
Author: Justin Mclean <[email protected]>
AuthorDate: Sat Jun 27 06:10:10 2026 +1000
docs(spec): sync security-issue-lifecycle to reflect -from-scan and
-via-forwarder skills (#566)
`security-issue-import-from-scan` (scanner on-ramp via pluggable
scan-format adapter) and `security-issue-import-via-forwarder` (relay sub-skill
for upstream-broker reports) both ship on main but were absent from the spec
skill inventory.
Generated-by: Claude (Opus 4.7)
---
tools/spec-loop/specs/security-issue-lifecycle.md | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/tools/spec-loop/specs/security-issue-lifecycle.md
b/tools/spec-loop/specs/security-issue-lifecycle.md
index 6ada3763..c070206e 100644
--- a/tools/spec-loop/specs/security-issue-lifecycle.md
+++ b/tools/spec-loop/specs/security-issue-lifecycle.md
@@ -29,10 +29,20 @@ publication, with a human gate and an audit-log entry at
every step.
## Where it lives
-- Skills: `security-issue-import` (+ `-from-pr`, `-from-md`),
+- Skills: `security-issue-import` (+ `-from-pr`, `-from-md`,
+ `-from-scan`, `-via-forwarder`),
`security-issue-triage`, `security-issue-deduplicate`,
`security-cve-allocate`, `security-issue-fix`, `security-issue-sync`,
`security-issue-invalidate`.
+ `security-issue-import-from-scan` is the scanner on-ramp: it ingests
+ multi-finding scan output through a pluggable scan-format adapter
+ (`tools/scan-format/`), buckets each finding for operator review, and
+ creates trackers only after per-finding confirmation.
+ `security-issue-import-via-forwarder` is the relay sub-skill: handles
+ reports relayed by an upstream broker (ASF security team or a
+ third-party disclosure platform) by applying preamble-detect,
+ credit-extract, and routing rules declared in
+ `tools/forwarder-relay/`; never mutates tracker state on its own.
- Tools: `tools/cve-tool-vulnogram/generate-cve-json` (CVE 5.x JSON),
`tools/cve-org`, `tools/gmail` + `tools/ponymail` (mail), and the
`tools/privacy-llm` gate/redactor ([the privacy gate](privacy-llm-gate.md)).