← ClaudeAtlas

security-issue-import-from-prlisted

Open a tracking issue in <tracker> for a security-relevant fix that has already been opened (or merged) as a public PR in <upstream>, in the case where there is no inbound `<security-list>` report. The tracker lands in the `Assessed` board column with the scope label applied, `pr created` / `pr merged` reflecting the PR's state, and `Remediation developer` / `PR with the fix` body fields populated from the PR. Pairs with `security-cve-allocate` afterwards.
apache/airflow-steward · ★ 19 · AI & Automation · score 80
Install: claude install-skill apache/airflow-steward
<!-- Placeholder convention (see AGENTS.md#placeholder-convention-used-in-skill-files): <project-config> → adopting project's `.apache-steward/` directory <tracker> → value of `tracker_repo:` in <project-config>/project.md (example: airflow-s/airflow-s for the Apache Airflow security team) <upstream> → value of `upstream_repo:` in <project-config>/project.md (example: apache/airflow) Before running any bash command below, substitute these with the concrete values from the adopting project's <project-config>/project.md. --> # security-issue-import-from-pr This skill is an alternative on-ramp of the security-issue handling process for the case where the report **never arrived on `<security-list>`**. A contributor opened a public fix in `<upstream>`; somebody on the security team noticed it is security-relevant; the team decided informally that the fix warrants a CVE. This skill turns that public PR into an `<tracker>` tracking issue so the rest of the workflow (`security-cve-allocate` → `security-issue-sync` → `security-issue-fix` → public advisory) can run. It is the smaller sibling of [`security-issue-import`](../security-issue-import/SKILL.md): | | `security-issue-import` | `security-issue-import-from-pr` | |---|---|---| | Source | `<security-list>` Gmail / PonyMail thread | `<upstream>` PR URL or number | | Reporter present | Yes (external researcher) | No (PR author = remediation develo