Skip to content

reportproof/security-intake-playground

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.github/workflows
.github/workflows
 
 
reports
reports
 
 
.security-intake.yml
.security-intake.yml
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 

Repository files navigation

security-intake-playground

External GitHub Action playground for reportproof/security-intake.

This repository verifies the public integration path:

uses: reportproof/security-intake@main

It contains only sanitized, synthetic Markdown reports. These examples do not claim vulnerabilities in any real project.

What This Tests

The workflow in .github/workflows/security-intake.yml runs five report shapes:

Report Expected decision Purpose
reports/good-report.md ready_for_maintainer_review Complete evidence should reach human triage.
reports/missing-proof.md needs_more_evidence Salvageable reports should ask for proof without being dismissed.
reports/scanner-dump.md likely_low_quality_or_ai_generated Generic scanner dumps should not consume direct triage time.
reports/vague-ai-claim.md likely_low_quality_or_ai_generated Untested AI-style claims should meet the same evidence bar.
reports/policy-boundary.md ready_for_maintainer_review Evidence-complete boundary reports should remain for maintainers to judge.

How To Run

Open the Actions tab and run one of these workflows:

  • Security Intake Playground: runs all five report shapes as a regression matrix.
  • Security Intake Evaluation: runs one selected report path, matching the copy-paste evaluation flow documented in security-intake.

You can also run the single-report workflow with GitHub CLI:

gh workflow run "Security Intake Evaluation" \
  --repo reportproof/security-intake-playground \
  -f report-path=reports/good-report.md

Each matrix job writes a result file under security-intake-results/ and checks that:

  • the decision output matches the expected decision,
  • the result-path output points to the generated result,
  • the result file exists,
  • the generated result includes the decision,
  • the generated result does not copy the original report body.

The security-intake Action job summary is intentionally limited to the decision, score, counts, result file path, and triggered rule IDs. The single-report workflow uploads security-intake-result.md as a 7-day artifact for manual inspection.

Safety

Do not add private vulnerability reports, real exploit payloads, secrets, customer data, or active zero-day material to this playground.

About

External GitHub Action playground for reportproof/security-intake validation.

Resources

Readme

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors