cc @elastic/observablt-ci

Recent documentation audit found a concrete behavior mismatch in the security detector docs.

Findings

1. Security ruleset documents severity labels that the detector does not emit

Evidence

• docs/workflows/security-scanning-ruleset.md:67-72 defines a Label column with oblt-aw/severity/{critical,high,medium,low}.
• scripts/create-security-issues.sh:69-73 creates issues with only --label "oblt-aw/detector/security".
• docs/workflows/gh-aw-security-detector.md:27 also documents only oblt-aw/detector/security on created issues.

Why this is materially wrong
A reader following the ruleset would expect severity labels to exist on detector-created issues, but runtime behavior only applies oblt-aw/detector/security. This makes the ruleset’s label contract incorrect for current behavior.

Suggested Actions

• Update docs/workflows/security-scanning-ruleset.md to remove or clearly qualify oblt-aw/severity/* as non-emitted labels unless implementation is added.
• Add an explicit note in docs/workflows/security-scanning-ruleset.md near ## Severity Levels explaining the current emitted label contract from scripts/create-security-issues.sh.
• Cross-link docs/workflows/gh-aw-security-detector.md and docs/workflows/security-scanning-ruleset.md so both describe the same issue-label behavior.

What is this? | From workflow: Observability Agentic Workflow Entrypoint

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

• expires on May 9, 2026, 6:58 AM UTC