sprint-security-reviewlisted

# Sprint Security Review Make security work visible in the sprint review instead of invisible plumbing. Produce a report that lets the team demo security outcomes to stakeholders in 5 minutes, plus metrics that show trend, not just snapshot. ## What to Gather Ask for (or extract from CI/scan outputs the user provides): 1. **Pipeline results** for the sprint's final build: SAST, DAST, dependency/container scans, test results and coverage. 2. **Security stories completed** this sprint (IDs and one-line outcomes). 3. **Open security debt**: counts by severity, and anything that aged past SLA. 4. **Two or three sprint-over-sprint metrics** — pick from: mean time to remediate by severity, new findings vs. resolved, false-positive rate, security debt trend, coverage trend. If the user can't supply real numbers, generate the template with placeholders and mark them clearly — never invent metrics. ## Green Build Report Template ```markdown # Sprint [N] — Green Build Report ## Pipeline Status | Stage | Status | Details | |-------|--------|---------| | SAST | ✅/❌ | [new High/Critical count; accepted Medium count with link to acceptance] | | DAST | ✅/❌ | [findings against staging] | | Dependency scan | ✅/❌ | [Critical CVEs; notable upgrades] | | Container/image scan | ✅/❌ | [base image currency] | | Unit tests | ✅/❌ | [pass count, coverage %] | | Integration tests | ✅/❌ | [pass count] | ## Security Stories Completed - [ID] [Title] — [one-line demonstrable outcome, e.g. "transfe