Docs

Security feedback

The security feedback workflow processes a maintainer's response to a security-labelled issue — usually one of the scan summaries produced by security review. It turns that feedback into action: breaking findings into individual issues, recording accepted risk or false-positives, reopening, or simply discussing.

Permission profile: repo-write — full read/write, so it can open PRs that update SECURITY.md and create new issues.

Pipeline

Process feedback act on maintainer reply

What it does

Depending on the maintainer's intent, it can:

  • Create issues — break the findings into individual issues
  • Accept risk / false-positive — update SECURITY.md via a PR
  • Reopen — reopen a finding
  • Discuss — reply in-thread without further action

Triggers

  • GitHub comment: an @last-light mention on an issue labelled security (route security_feedback)

Skill

This workflow uses the security-feedback skill.