Pilot solution.

.github/workflows/aquasec-scan.yml

@@ -0,0 +1,105 @@
+#
+# Copyright 2026 ABSA Group Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Reusable workflow – Aquasec Scan + Security Alerts to Issues.
+#
+# Called from application repositories via workflow_call.
+# The caller triggers on schedule / workflow_dispatch and passes the required secrets.
+
+name: Aquasec Scan
+
+on:
+  workflow_call:
+    inputs:
+      verbose-logging:
+        description: 'Enable verbose logging for AquaSec scan'
+        required: false
+        type: boolean
+        default: false
+    secrets:
+      AQUA_KEY:
+        required: true
+      AQUA_SECRET:
+        required: true
+      AQUA_GROUP_ID:
+        required: true
+      AQUA_REPOSITORY_ID:
+        required: true
+      TEAMS_WEBHOOK_URL:
+        required: false
+
+permissions:
+  contents: read
+  actions: read
+  issues: write
+  security-events: write
+
+jobs:
+  aquasec-scan:
+    name: Aquasec Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          persist-credentials: false
+          fetch-depth: 0
+
+      - name: Fetch AquaSec Scan Results
+        id: aquasec
+        uses: AbsaOSS/aquasec-scan-results@master # TODO - pin to specific sha when possible
+        with:
+          aqua-key: ${{ secrets.AQUA_KEY }}
+          aqua-secret: ${{ secrets.AQUA_SECRET }}
+          group-id: ${{ secrets.AQUA_GROUP_ID }}
+          repository-id: ${{ secrets.AQUA_REPOSITORY_ID }}
+          verbose-logging: ${{ inputs.verbose-logging }}
+
+      - name: Upload Scan Results to GitHub Security
+        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2
+        with:
+          sarif_file: ${{ steps.aquasec.outputs.aquasec-sarif-file }}
+          category: aquasec
+
+  sync-alerts-to-issues:
+    name: Security Alerts to Issues
+    needs: aquasec-scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout security scripts
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        with:
+          repository: AbsaOSS/organizational-workflows
+          ref: master
+          path: org-workflows
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
+        with:
+          python-version: '3.14'
+          cache: 'pip'
+          cache-dependency-path: org-workflows/github/security/requirements.txt
+
+      - name: Install dependencies
+        run: pip install -r org-workflows/github/security/requirements.txt
+
+      - name: Run alert-to-issue sync
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+        run: |
+          org-workflows/github/security/sync_security_alerts.sh

.github/workflows/remove-adept-to-close-on-issue-close.yml

@@ -0,0 +1,73 @@
+#
+# Copyright 2026 ABSA Group Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Reusable workflow – Remove sec:adept-to-close label when an issue is closed.
+#
+# Called from application repositories via workflow_call.
+# The caller must trigger on `issues: [closed]`.
+# Note: for `workflow_call`, the called workflow receives the same event payload as the caller,
+# so `context.payload` (aka `github.event`) is populated without needing to "forward" it via inputs.
+
+name: Remove sec:adept-to-close on close
+
+on:
+  workflow_call:
+
+permissions:
+  issues: write
+
+jobs:
+  cleanup-label:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Remove label when conditions match
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
+        with:
+          script: |
+            const issue = context.payload.issue;
+
+            // Safety: ignore PRs (they can appear as issues in GitHub UI)
+            if (issue.pull_request) {
+              core.info('Skipping: payload refers to a pull request, not an issue.');
+              return;
+            }
+
+            const labels = (issue.labels ?? [])
+              .map(l => (typeof l === 'string' ? l : l?.name))
+              .filter(Boolean);
+
+            const hasScopeSecurity = labels.includes('scope:security');
+            const hasTechDebt = labels.includes('type:tech-debt');
+            const hasAdeptToClose = labels.includes('sec:adept-to-close');
+
+            if (!hasScopeSecurity || !hasTechDebt) {
+              core.info(
+                `Skipping: required labels missing (scope:security=${hasScopeSecurity}, type:tech-debt=${hasTechDebt}).`
+              );
+              return;
+            }
+
+            if (!hasAdeptToClose) {
+              core.info('No-op: label sec:adept-to-close is not present on the issue.');
+              return;
+            }
+
+            await github.rest.issues.removeLabel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue.number,
+              name: 'sec:adept-to-close',
+            });

.gitignore

@@ -0,0 +1,11 @@
+.DS_Store
+github/security/__pycache__/
+**/__pycache__/
+*.pyc
+/.idea
+target
+.bsp
+.idea
+*.iml
+.vscode
+github/security/alerts*.json

README.md

@@ -1,2 +1,17 @@
-# organizational-workflows
-Public repository standards toolkit: templates, labels, policy examples, and optional automation for GitHub repos.
+# Organizational workflows
+
+This repository is a small toolkit of repeatable, organization-level workflows for GitHub repositories.
+Each workflow lives next to its automation code under `github/` and is documented in a folder-level README.
+
+## Workflows
+
+### Security automation (Code Scanning → Issues)
+
+Turns GitHub Code Scanning alerts (SARIF-based tools such as AquaSec) into a managed GitHub Issues backlog.
+Issues become the system of record for ownership, postponement, lifecycle events, and reporting.
+
+- Documentation and usage: [github/security/README.md](github/security/README.md)
+
+## Next
+
+More workflows will be added over time, each with its own folder and README under `github/`.