Skip to content

fix: address all 5 OpenSSF Scorecard alerts + Hypatia CI/CD rules#20

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/scorecard-alerts
Mar 13, 2026
Merged

fix: address all 5 OpenSSF Scorecard alerts + Hypatia CI/CD rules#20
hyperpolymath merged 1 commit into
mainfrom
fix/scorecard-alerts

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented Mar 13, 2026

Summary

  • Branch-Protection (High): Required reviews set to 1 via API, CODEOWNERS review enabled
  • Code-Review (High): Same branch protection change — all merges now require reviewed PRs
  • Maintained (High): Will auto-resolve on next Scorecard scan (recent commits exist)
  • Fuzzing (Medium): New fuzz.yml workflow — Zig FFI fuzz targets + MCP bridge input fuzzing
  • CII-Best-Practices (Low): Needs manual registration at bestpractices.coreinfrastructure.org
  • CodeQL: Updated to scan actions language alongside javascript-typescript, bumped action SHAs
  • Scorecard-enforcer: Fixed SECURITY.md check to look in .github/ and docs/ (not just root)
  • Hypatia: Added .hypatia/scorecard-rules.yml with 9 CI/CD posture enforcement rules

Test plan

  • Verify Scorecard re-scan produces fewer/no alerts
  • Verify fuzz.yml workflow runs without errors
  • Verify CodeQL scans both JS and Actions languages
  • Verify scorecard-enforcer passes with SECURITY.md in .github/

🤖 Generated with Claude Code

@hyperpolymath @claude
fix: address all 5 OpenSSF Scorecard alerts + Hypatia CI/CD rules
bb4e1d3 
Branch-Protection (High): Set required_approving_review_count=1,
  require_code_owner_reviews=true via GitHub API (already applied).

Code-Review (High): Same branch protection change ensures all merges
  go through reviewed PRs.

Maintained (High): Will auto-resolve — recent commits within 90 days.

Fuzzing (Medium): Add .github/workflows/fuzz.yml with Zig FFI fuzz
  targets and MCP bridge input fuzzing (path traversal, oversized
  input, malformed JSON-RPC).

CII-Best-Practices (Low): Requires manual registration at
  bestpractices.coreinfrastructure.org — noted in Hypatia rules.

Also:
- Fix scorecard-enforcer SECURITY.md check to look in .github/ and
  docs/ (not just root)
- Update CodeQL to scan both javascript-typescript and actions
  languages, bump to latest action SHAs
- Add .hypatia/scorecard-rules.yml with 9 CI/CD posture rules
  (branch-protection, code-review, maintained, fuzzing, pinned-deps,
  cii-best-practices, security-policy, action-sha-pinning,
  workflow-permissions, spdx-headers)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 62d5e10 into main Mar 13, 2026
15 of 18 checks passed
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Mar 13, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@hyperpolymath hyperpolymath deleted the fix/scorecard-alerts branch March 13, 2026 21:29
@hyperpolymath hyperpolymath mentioned this pull request May 20, 2026
Merged
4 tasks
hyperpolymath added a commit that referenced this pull request May 20, 2026
@hyperpolymath @claude
ci(abi-drift): expand allowlist 56 -> 66 (Refs standards#92) (#133)
9da26e7 
## Summary

Re-surveyed all 81 paired cartridges against the freshly-merged iseriser
binary (#20 GADT-skip emitter, #21 runtogether candidate, #22
terminal-\`false\` switch-arm tolerance). Allowlist grows from **56 →
66** cartridges.

### Newly clean (+11) — unblocked by iseriser #20/#21/#22

\`chapeliser-mcp\`, \`cloud-mcp\`, \`comms-mcp\`, \`container-mcp\`,
\`git-mcp\`, \`gitlab-api-mcp\`, \`ml-mcp\`, \`mongodb-mcp\`,
\`queues-mcp\`, \`research-mcp\`, \`vordr-mcp\`

### Newly drifting (-1) — browser-mcp

Genuine cartridge-side drift: Idris2 \`BrowserAction.Type\` (Zig
candidate \`type\`) vs Zig \`type_text\`. Cartridge-side fix needed, not
a verifier defect; not Class B/C/D — filed as out-of-scope.

### Class taxonomy after the fixes

| Class | Pre-PR | Post-PR | Status |
| --- | --- | --- | --- |
| Clean (allowlist) | 56 | **66** | this PR |
| Class B (name-norm) | covered | partial | iseriser#21 closed multi-cap
acronyms; remaining ums-mcp prefix-stripping is open |
| Class C (missing Zig enum) | tracked | tracked | standards#150-155 |
| Class D (abbreviation/acronym boundary) | implicit | filed |
standards#156 (3 cartridges: postgresql/hetzner/redis) |
| Class P (verifier parser limit) | 5 | **0** | iseriser#22 closed |
| Class E (malformed Idris2 source) | 1 | **0** | iseriser#20 closed |

## Test plan

- [x] Local re-survey on \`origin/main\` snapshot (zero cartridge
changes between survey and this PR's base commit)
- [x] All 66 cartridges in the new list verified \`abi-verify: OK\`
- [x] Removed cartridge (browser-mcp) verified to actually drift
- [ ] CI green on this PR (the workflow itself runs the same
66-cartridge check)

Refs hyperpolymath/standards#92, hyperpolymath/standards#89,
hyperpolymath/iseriser#20, hyperpolymath/iseriser#21,
hyperpolymath/iseriser#22.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @github-advanced-security