Refs #260 (do not auto-close).
Defect: workflow_audit.ex:49 and security_errors.ex:291 map slsa-framework/slsa-github-generator@v2.1.0 → <sha>. Applying the only symbolic remediation (SHA-pin) BREAKS SLSA provenance — the generator self-verifies github.ref and requires a semver tag. No exception channel exists, so modshells #63 stays open forever.
Fix:
- Remove the harmful SHA mapping for
slsa-framework/slsa-github-generator.
- Introduce a first-class
pin_exempt / must_track_tag registry (versioned data, not code constants) for reusable workflows that self-verify their ref.
- For exempt refs emit an accept finding with rationale, never a fix; reconciler dismisses the Scorecard alert with that rationale.
Refs #260 (do not auto-close).
Defect:
workflow_audit.ex:49andsecurity_errors.ex:291mapslsa-framework/slsa-github-generator@v2.1.0 → <sha>. Applying the only symbolic remediation (SHA-pin) BREAKS SLSA provenance — the generator self-verifiesgithub.refand requires a semver tag. No exception channel exists, so modshells #63 stays open forever.Fix:
slsa-framework/slsa-github-generator.pin_exempt/must_track_tagregistry (versioned data, not code constants) for reusable workflows that self-verify their ref.