Skip to content

fix(ci): sync hypatia-scan.yml to canonical#47

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/hypatia-scan-canonical
May 17, 2026
Merged

fix(ci): sync hypatia-scan.yml to canonical#47
hyperpolymath merged 1 commit into
mainfrom
fix/hypatia-scan-canonical

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 17, 2026

Replaces the drifted hypatia-scan.yml (older cd scanner/hypatia-v2 build-step that exits 1 — the env.HOME/Phase-2 sweeps never touched it) with the canonical rsr-template-repo workflow. Estate drift remediation; see hyperpolymath/neurophone#41.

🤖 Generated with Claude Code

@hyperpolymath @claude
fix(ci): sync hypatia-scan.yml to canonical (kill cd-scanner build dr…
9bd7b5c 
…ift)

The build step did `cd scanner` / built `hypatia-v2` against a path that
no longer exists in the hypatia repo (mix.exs is at root), so the Hypatia
Neurosymbolic Analysis lane exited 1 every run. The env.HOME and Phase-2
sweeps never normalised this older build-step drift. Replace with the
canonical rsr-template-repo hypatia-scan.yml.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 1616de9 into main May 17, 2026
@hyperpolymath hyperpolymath deleted the fix/hypatia-scan-canonical branch May 17, 2026 02:46
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 17, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 17, 2026

🔍 Hypatia Security Scan

Findings: 10 issues detected

Severity Count
🔴 Critical 0
🟠 High 5
🟡 Medium 5
View findings 
[
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/scripts/scripts/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/scripts/scripts/setup-kinoite-dev.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (1 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/scripts/scripts/enhance-kinoite.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Nominal-only SAST in scripts: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/scripts/scripts",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 1 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "References STATE.scm -- should be .machine_readable/6a2/STATE.a2ml",
    "type": "SD007",
    "file": "0-AI-MANIFEST.a2ml",
    "action": "update_reference",
    "rule_module": "structural_drift",
    "severity": "medium"
  },
  {
    "reason": "References AGENTIC.scm -- should be .machine_readable/6a2/AGENTIC.a2ml",
    "type": "SD007",
    "file": "0-AI-MANIFEST.a2ml",
    "action": "update_reference",
    "rule_module": "structural_drift",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @github-advanced-security