Skip to content

Add detection promotion, canary, and rollback gates#2606

Closed
shaiananvari8 wants to merge 1 commit into
UnitOneAI:mainfrom
shaiananvari8:codex-shaian/detection-engineering-promotion-rollback
Closed

Add detection promotion, canary, and rollback gates#2606
shaiananvari8 wants to merge 1 commit into
UnitOneAI:mainfrom
shaiananvari8:codex-shaian/detection-engineering-promotion-rollback

Conversation

@shaiananvari8

@shaiananvari8 shaiananvari8 commented Jun 15, 2026

Copy link
Copy Markdown

Skill Improvement ($50-150 Bounty)

Addresses #2500

Skill Modified

Skill name: detection-engineering
Skill path: skills/secops/detection-engineering/

What Was Wrong

The skill covered Sigma authoring, ADS documentation, validation, and deployment mechanics, but its lifecycle guidance let a rule move from review/test straight into production without a required promotion decision. That misses a common detection-engineering failure mode: rules that pass lint and synthetic tests can still flood analysts, lose required fields after conversion, trigger the wrong routing path, or lack an emergency rollback owner.

What This PR Fixes

  • Bumps detection-engineering to v1.0.1.
  • Adds promotion and rollback inputs to the context checklist.
  • Extends the detection-as-code pipeline with canary, promotion, and rollback-readiness stages.
  • Adds a dedicated Promotion, Canary, and Rollback Gates section with concrete pass/fail evidence.
  • Tightens the Operational coverage definition so it requires canary promotion and rollback evidence.
  • Adds a Promotion and Rollback Evidence output table.
  • Adds a common pitfall for promoting rules without canary or rollback evidence.

Evidence

Before, the CI/CD stages ended at deploy and monitor:

Review -> Deploy -> Monitor

After, production enablement requires staged proof and rollback readiness:

Review -> Canary -> Promote -> Deploy -> Monitor -> Rollback readiness

Test Cases Added/Updated

  • Existing skill file still has all required frontmatter fields.
  • Markdown fenced-code blocks remain balanced.
  • Marker checks cover version bump, promotion section, canary evidence, downstream routing, rollback owner, and the updated Operational gate.
  • git diff --check passed.
  • Exported patch applies cleanly with git apply --check.

Bounty Tier

  • Moderate ($100) - New operational edge-case coverage and false-positive/alert-storm reduction with evidence.

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: PayPal to shaiananvari8@gmail.com

@chatgpt-codex-connector

chatgpt-codex-connector Bot commented Jun 15, 2026

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@github-actions github-actions Bot added the needs-approved-issue PR has no linked maintainer-approved issue label Jun 15, 2026
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).

@github-actions github-actions Bot closed this Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kamalsrini kamalsrini Awaiting requested review from kamalsrini kamalsrini is a code owner

Assignees

No one assigned

Labels

needs-approved-issue PR has no linked maintainer-approved issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shaiananvari8