Skip to content

docs: update agentic-workflows.md Security Review description for multi-framework skill support #1321

Closed
#1385
Closed
docs: update agentic-workflows.md Security Review description for multi-framework skill support#1321
#1385
Labels
documentationImprovements or additions to documentationneeds-triageRequires triage and prioritization
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 8, 2026

Component

Documentation

Bug Description

docs/architecture/agentic-workflows.md describes the Security Reviewer as orchestrating "OWASP-based vulnerability assessment", but this is no longer accurate after #1223, which added the secure-by-design skill based on UK Government Secure by Design Principles and Australian ASD/ACSC Secure by Design Foundations — neither of which is an OWASP framework.

What the documentation currently says (line ~172):

The Security Reviewer orchestrates OWASP-based vulnerability assessment through four subagents: Codebase Profiler, Skill Assessor, Finding Deep Verifier, and Report Generator. It supports audit, diff, and plan modes.

What the implementation now does (after #1223):

  • The Security Reviewer now supports a secure-by-design skill alongside the existing OWASP skills (owasp-top-10, owasp-llm, owasp-agentic, owasp-mcp, owasp-infrastructure)
  • The agent's own description field reads: "Security skill assessment orchestrator for codebase profiling and vulnerability reporting" — not OWASP-specific
  • A new entry-point prompt security-review-sbd.prompt.md was added specifically for Secure by Design assessments
  • The secure-by-design skill was registered in both the security and hve-core-all collections as experimental

The "OWASP-based" qualifier in the docs is factually inaccurate for anyone using the new secure-by-design skill or the security-review-sbd prompt.

Expected Behavior

docs/architecture/agentic-workflows.md should be updated to:

  1. Replace "OWASP-based" with a broader description that covers multiple security frameworks (e.g., "multi-framework security skill assessment" or "security vulnerability assessment")
  2. Optionally note that supported skills include OWASP frameworks and Secure by Design frameworks

Suggested replacement sentence:

The Security Reviewer orchestrates security skill assessment through four subagents: Codebase Profiler, Skill Assessor, Finding Deep Verifier, and Report Generator. It supports audit, diff, and plan modes across OWASP and Secure by Design frameworks.

Steps to Reproduce

  • View the merged PR: #1223
  • Read .github/agents/security/security-reviewer.agent.md (Inputs section, skill resolution section listing secure-by-design)
  • Compare against docs/architecture/agentic-workflows.md line ~172 (Security Review section)

Additional Context

Documentation file: docs/architecture/agentic-workflows.md

  • Line ~172: Security Review section description

Code files changed in #1223:

  • .github/agents/security/security-reviewer.agent.md — updated to reference secure-by-design as a supported skill
  • .github/skills/security/secure-by-design/SKILL.md — new skill added
  • .github/prompts/security/security-review-sbd.prompt.md — new SBD-specific prompt added
  • collections/security.collection.ymlsecure-by-design skill registered as experimental

Generated by Documentation Update Check ·

Generated by Documentation Update Check ·

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationneeds-triageRequires triage and prioritization

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions