Security reporting & dashboards
June 27, 2026 · View on GitHub
title: Security reporting & dashboards status: experimental kind: feature mode: infra source: > README.md § Skill families (security) and AGENTS.md § Reusable skills. Implemented by tools/security-tracker-stats-dashboard/ and the security-tracker-stats-dashboard skill. acceptance:
- A single command produces a self-contained HTML dashboard of tracker statistics without modifying any tracker state.
- The dashboard is read-only; no tracker labels, milestones, or issue bodies are written.
- The tool ships its own tests.
Security reporting & dashboards
What it does
Generates read-only aggregate views of the security tracker's issue backlog — lifecycle-band breakdowns, time-to-triage trends, per-scope pressure, and velocity charts — so the security team can review campaign health without navigating the tracker issue-by-issue.
Where it lives
tools/security-tracker-stats-dashboard/— Python tool that fetches issue and event data from<tracker>(viagh) and renders a self-contained HTML file. Supports incremental resume (re-runs extend the existing data rather than re-fetching everything), configurable lifecycle categories, milestone annotations, and a null-upstream_repopath for trackers whose fixes land across multiple repos.- Skill:
security-tracker-stats-dashboard— invokes the tool, surfaces the output path, and handles staleness detection (~24 h default). Reads only; never posts to the tracker.
Behaviour & contract
- Read-only. Neither the tool nor the skill writes to any tracker issue, label, milestone, or project board field.
- Self-contained output. The rendered HTML embeds all data; no external service is needed to view it.
- Incremental by default. Resume behaviour extends an existing dataset without re-fetching all history; a full rebuild is an opt-in flag.
- Config-driven. Lifecycle category bands, time-to-triage signal,
milestone vertical annotations, and the null-
upstream_repopath are declared in the tool'sdefault-config.yamland overridden per-adopter.
Out of scope
- Writing back any artefact to the tracker (that is the lifecycle skills).
- Publishing the dashboard publicly — output is a local file; distribution is the security team's choice.
Acceptance criteria
render.py/run.shproduces a valid HTML file from<tracker>data.- No tracker state is mutated (read-only
ghcalls only). - The tool ships its own tests under
tools/security-tracker-stats-dashboard/.
Validation
uv run --directory tools/security-tracker-stats-dashboard --group dev pytest
bash -n tools/security-tracker-stats-dashboard/run.sh
shellcheck tools/security-tracker-stats-dashboard/run.sh
Known gaps
experimental— no adopter pilot has run the dashboard end-to-end.- CI integration is a follow-on item.