Skip to content

docs(skills): add triaging-security-reports skill#1722

Draft
lukaszlenart wants to merge 1 commit into
mainfrom
docs/triaging-security-reports-skill
Draft

docs(skills): add triaging-security-reports skill#1722
lukaszlenart wants to merge 1 commit into
mainfrom
docs/triaging-security-reports-skill

Conversation

@lukaszlenart
Copy link
Copy Markdown
Member

@lukaszlenart lukaszlenart commented May 29, 2026

Summary

Adds a new agent skill — .claude/skills/triaging-security-reports/SKILL.md — that guides triage of privately-disclosed security reports. It fits alongside the existing .claude/agents and .claude/commands tooling and complements the process defined in SECURITY.md.

The skill enforces unbiased, source-grounded triage:

  • Treat the report as a claim to test, not a finding to confirm or rebut. Re-derive every assertion (line numbers, severity, "no mitigation exists", call paths) from current source.
  • Iron rule: no statement in a security response without a file:line read this session — applies to the reporter's claims and the maintainer's own.
  • Effective-default trap: verify runtime defaults through the full chain (field initializer → @Inject setter → default.properties → struts.xml), not a single source.
  • Vulnerability vs. operator responsibility framing instead of the "in the default configuration" crutch.
  • Rationalization table + red-flags list drawn from real failure modes.

How it was developed (test-first, per superpowers:writing-skills)

  • RED: baseline agents triaging a deliberately false report produced contradictory, unverified claims about a default (requireAnnotations) and were ready to send them to a reporter.
  • GREEN: with the skill, the agent stated the effective default correctly (default.properties overrides the field initializer), cited file:line per claim, and added no unverified facts.
  • REFACTOR: verified the skill does not over-correct — given a report whose code facts were true, the agent confirmed them and conceded valid points rather than reflexively rejecting.

Notes

  • No JIRA ticket — agent tooling/docs, so a ticketless conventional commit is used per the project commit guideline.
  • No framework code changes; nothing security-sensitive is disclosed.

🤖 Generated with Claude Code

@lukaszlenart @claude
docs(skills): add triaging-security-reports skill
dd91cd7 
Add an agent skill for triaging privately-disclosed security reports:
research each claim from source without trusting the reporter, verify
effective runtime defaults (config overrides field initializers), avoid
introducing unverified facts into responses, and frame findings as
vulnerability vs. operator responsibility.

Developed test-first: a baseline run produced contradictory, unverified
claims about defaults; the skill closes that gap and was verified to also
avoid over-correcting into reflexive rejection of valid reports.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 29, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lukaszlenart