ci(hypatia): re-adopt canonical hypatia-scan.yml — SARIF code-scanning + report truth-fix (#35 items 1 & 3)

[hyperpolymath]

Closes burble#35 items 1 & 3. Item 2 (re-arm Elixir test gate) is independent + blocked and tracked separately (sub-issue incoming).

Fixed at source (per maintainer decision): the canonical hypatia-scan.yml lives in the template homes, so the change was authored in rsr-template-repo (PR #53) and propagated to v3-templater (#73) and reposystem (#49). This PR is burble re-adopting it — no drift, survives the next "adopt canonical" sweep.

Item 1 — Hypatia SARIF → code scanning ✅

• JSON → SARIF 2.1.0 (dependency-free Node; rule id, severity→level, file/region, partialFingerprints dedupe)
• security-events: write (documented; single-job so no narrower scope)
• github/codeql-action/upload-sarif@v3.28.1, category hypatia (coexists with CodeQL)
• Artifact upload retained
• Gating policy explicit & commented (advisory-first; tighten via branch protection on the SARIF category)
• Empty/unavailable scan → valid empty SARIF, clears stale alerts, no error
• Fork-PR limitation handled (read-only token → upload skipped via guard, documented)

Item 3 — dead autofix reference ✅

• Removed robot-repo-automaton (Phase 3) promise from the scan report
• # exit 1 replaced by an explicit, documented advisory gating decision
• Phase-2 gitbot-fleet text already truthful (post-fix(ci): Phase-2 fleet submission must not fail the security gate #36) — left intact

Validation

YAML parses (verified); embedded converter passes node --check; functional tests: absolute→repo-relative path, empty file→., severity mapping, sha256 fingerprints, malformed/empty input → valid empty SARIF. BEAM pins (1.19.4 / 28.3) unchanged (pin-guarded).

Refs #35

🤖 Generated with Claude Code

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

🔍 Hypatia Security Scan

Findings: 18 issues detected

Severity	Count
🔴 Critical	4
🟠 High	4
🟡 Medium	10

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Action ocaml/setup-ocaml@v3 needs attention",
    "type": "unpinned_action",
    "file": "affinescript-canary.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "No permissions declaration -- add permissions: read-all",
    "type": "missing_permissions",
    "file": "elixir-ci.yml",
    "action": "add_permissions",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "binary_to_term without :safe option -- deserialization attack (1 occurrences, CWE-502)",
    "type": "elixir_send_unsanitised",
    "file": "/home/runner/work/burble/burble/server/lib/burble/media/lmdb_playout.ex",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "SSL verify_none disables certificate validation -- MITM risk (1 occurrences, CWE-295)",
    "type": "elixir_no_ssl_verify",
    "file": "/home/runner/work/burble/burble/server/lib/burble/bridges/mumble.ex",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
    "type": "believe_me",
    "file": "/home/runner/work/burble/burble/src/interface/abi/Foreign.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "Nickel file missing SPDX-License-Identifier header (1 occurrences, CWE-1104)",
    "type": "ncl_missing_spdx",
    "file": "/home/runner/work/burble/burble/configs/config.ncl",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "medium"
  },
  {
    "reason": "Lock.unwrap() without poison handling (14 occurrences, CWE-754)",
    "type": "lock_unwrap",
    "file": "/home/runner/work/burble/burble/tools/selur-compose/crates/selur-compose-driver/src/mock.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "line": 24,
    "reason": "Secret found: Generic API key",
    "type": "secret_detected",
    "file": "/home/runner/work/burble/burble/.envrc",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "line": 39,
    "reason": "Secret found: Password",
    "type": "secret_detected",
    "file": "/home/runner/work/burble/burble/server/lib/burble/safety/proven_bridge.ex",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  },
  {
    "line": 53,
    "reason": "Secret found: Password",
    "type": "secret_detected",
    "file": "/home/runner/work/burble/burble/server/lib/burble/bridges/sip.ex",
    "action": "revoke_rotate_and_purge",
    "rule_module": "security_errors",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence