Hypatia detector false positives (workflow_audit + cicd_rules) — spec for upstream fix

[hyperpolymath]

Context: The Hypatia scan on this repo reports 141 findings (64 critical / 56 high / 21 medium), but after per-finding investigation the large majority are scanner-side false positives or already-honored documented exemptions, not real defects in standards. The genuinely actionable in-repo items (missing timeout-minutes, malformed workflows, mirror SSH presence-gate, an AGPL→MPL header) were fixed in #361/#362/#364/#367 and are on main (383 workflows parse, 0 jobs missing a timeout, registry in sync).

This issue is the hand-off spec for the remaining "foundational/upstream" fixes, which live in hyperpolymath/hypatia (the detector source), not here. Each item below has the file, the false-positive proof, and the exact change.

---

1. unpinned_action — legacy emitter flags correctly SHA-pinned actions

• Module/severity: workflow_audit, medium.
• Symptom: reason: "Action for the check script)\n uses: actions/checkout@de0f needs attention" on governance-reusable.yml. The ref is truncated to @de0f, the text "needs attention" + the "…check script)" prefix shows the detector is grabbing a preceding comment line plus the next uses: line.
• Proof it's a false positive: every uses: across all 383 workflow files is pinned to a full 40-hex SHA, e.g. actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2.
• Root cause: the canonical detector WH004 in lib/rules/workflow_hardening.ex is correct — it early-returns on Regex.match?(~r/@[a-fA-F0-9]{40}\b/, slug) and its reason is "pins … to a tag/branch — mutable ref allows upstream takeover". The findings here have a different rule_module (workflow_audit) and a different reason format, so a second, legacy unpinned-action emitter exists that (a) doesn't recognize 40-hex SHA pins, (b) truncates the SHA to 4 chars, (c) uses a brittle regex that captures an adjacent comment line.
• Fix: remove/disable the legacy workflow_audit unpinned-action emitter and route solely through WH004. If it must remain, port WH004's 40-hex skip-guard into it and fix slug extraction to stop at first whitespace (drop trailing # comment) without truncation.

2. secret_action_without_presence_gate — doesn't recognize the if: secrets.X != '' gate

• Module/severity: workflow_audit, high.
• Symptom: flags instant-sync.yml (peter-evans/repository-dispatch).
• Proof it's a false positive: that step is gated — instant-sync.yml line 27: if: ${{ secrets.FARM_DISPATCH_TOKEN != '' }}, with a companion "skip" notice step for the empty case.
• Root cause: the detector flags any secret-consuming action without recognizing a step-level (or enclosing-job) if: that presence-tests the same secret (!= '').
• Fix: before emitting, suppress if the step or its job has an if: referencing the same secret with a != '' presence test. (Same pattern now used in mirror-reusable.yml after ci(workflows): presence-gate mirror SSH steps + correct registry-verify licence #367 — it will otherwise keep being false-flagged.)

3. scorecard_publish_with_run_step — not scoped to the publish job

• Module/severity: workflow_audit, high.
• Symptom: flags scorecard-enforcer.yml for "split_scorecard_publish_job".
• Proof it's a false positive: the publish job (scorecard) is already uses-only; the threshold check is already split into a downstream check-score job (needs: scorecard). The file even documents this in a comment.
• Root cause: the detector scans the whole file for run: steps co-occurring with publish_results: true, instead of scoping to the job that contains the publish step. The run: steps are in other jobs (check-score, check-critical).
• Fix: only emit if the job that runs ossf/scorecard-action with publish_results: true itself contains a run: step.

4. Carve-out / semantics gaps (cicd_rules + workflow_audit)

• 4a. banned_language_file (critical) ignores documented path_allow_prefixes. Flags files that CLAUDE.md explicitly exempts:
  • **/bindings/deno/** (interop) → a2ml/bindings/deno/mod.ts, k9-svc/bindings/deno/mod.ts
  • **/vitest.config.ts (tooling) → lol/test/vitest.config.ts
  • the retained Deno archetype scripts/check-ts-allowlist.ts (regression-suite target; documented in docs/EXEMPTION-MECHANISMS.adoc)
  • Ground truth: only 5 banned-language files exist in the repo (1 Python already in .hypatia-baseline.json, 4 TypeScript — all the carve-outs above). The reported "64 critical" is inflated/multi-counted; there are zero genuine violations.
  • Fix: apply the documented TS/RS/npm/JS path_allow_prefixes from CLAUDE.md in the deployed cicd_rules banned-language detector (config has drifted from policy). Consider downgrading grandfathered/in-flight-migration files below critical.
• 4b. missing_timeout_minutes (medium) fires on reusable-workflow CALLER jobs — governance.yml, mirror.yml, scorecard.yml, secret-scanner.yml. Their jobs are uses: reusable-workflow calls, where timeout-minutes is invalid YAML and cannot be added; the timeout belongs in the reusable workflow (already present).
  • Fix: skip jobs with a job-level uses: (reusable-workflow calls) in the missing_timeout_minutes check.

General

The reason strings for several finding types are malformed ("Issue in X.yml", embedded raw YAML, truncated refs) — the reason-builder/templating needs hardening so findings are actionable.

---

Filed as a hand-off; the fixes themselves belong in hyperpolymath/hypatia (lib/rules/workflow_hardening.ex, the workflow_audit module, lib/rules/cicd_rules.ex). This repo's side is complete.

https://claude.ai/code/session_01AmPXB2dA2wCcabo8BXwS28

[hyperpolymath]

Ready-to-run prompt for a hypatia-scoped session

Repos to put in scope: hyperpolymath/hypatia (primary — detector source), hyperpolymath/standards (validation fixture + this issue), and probably hyperpolymath/gitbot-fleet (only if the PR-comment findings formatter lives there rather than in hypatia).

Paste the block below into a session scoped to those repos:

You are in hyperpolymath/hypatia (neurosymbolic CI/CD scanner). Its
workflow_audit + cicd_rules detectors emit false positives on
hyperpolymath/standards. Tracking: hyperpolymath/standards#370. Ground truth
@standards/main: 383 workflows all SHA-pinned, 0 jobs missing timeout, all
banned-language files are documented carve-outs — so nearly all 141 findings
are scanner-side FPs. Fix the detectors at root, add regression tests, and
confirm the count drops re-scanning standards. Do NOT weaken true positives.

FIRST: is the hypatia version standards' CI runs (see
standards/.github/workflows/hypatia-scan*.yml) STALE vs hypatia@main? Several
FPs below look already-fixed in main — if so the fix is a version bump, not a
code change. Determine this before editing.

1) WF014 scorecard_publish_with_run_step is FILE-scoped, must be JOB-scoped.
   lib/rules/workflow_audit.ex check_scorecard_publish_run_violation/1 (~602):
   uses_scorecard?/publish_true?/has_step_run? all scan the whole file, so an
   already-split workflow (publish job uses-only; run: in a needs: job) is
   flagged. Proof: standards scorecard-enforcer.yml (job `scorecard` uses-only;
   run: lives in check-score/check-critical). Fix: scope has_step_run? to the
   job containing `ossf/scorecard-action@` + `publish_results: true`.

2) missing_timeout_minutes fires on reusable-workflow CALLER jobs.
   check_missing_timeout_minutes/1 (~144): job regex counts jobs whose body is
   `uses: ./.github/workflows/x.yml` — where timeout-minutes is INVALID YAML.
   Proof: standards governance.yml/mirror.yml/scorecard.yml/secret-scanner.yml.
   Fix: drop a job from jobs_seen if its block has a job-level `uses:`.

3) WF017 secret_action_without_presence_gate flags already-gated steps.
   check_ungated_secret_action/1 (~858) + extract_steps_using_known_actions/1
   (~918). Gate regex (~880) looks correct; yet standards instant-sync.yml —
   gated `if: ${{ secrets.FARM_DISPATCH_TOKEN != '' }}` (line 27) — is flagged.
   Either stale deploy (version bump) or block-expression extraction drops the
   if:. Reproduce, fix, test both `${{ secrets.X != '' }}` and bare forms. NB
   standards mirror-reusable.yml now gates 6 forge jobs the same way — must not
   flag.

4) unpinned_action "...needs attention", ref truncated to @de0f, on SHA-pinned
   actions. Canonical WH004 (lib/rules/workflow_hardening.ex wh004_scan_content/2
   ~322) correctly skips @[a-fA-F0-9]{40}\b; check_unpinned_actions/1 (~236)
   delegates to it. So "needs attention"/@de0f is built by a REPORTING layer
   that truncates the ref + scrapes an adjacent comment. Find it (hypatia
   findings/PR-comment serializer; if absent, gitbot-fleet dispatch-runner) and
   build reason from the finding's own fields, never truncating the ref. Proof:
   every uses: in standards is a full 40-hex SHA.

5) banned_language_file (critical) ignores documented path_allow_prefixes.
   lib/rules/cicd_rules.ex: mechanism exists (:rescript_detected ~182; reject
   ~724-728/~786-797) but the *.ts / *.py entries lack carve-outs. Add to their
   path_allow_prefixes: bindings/deno/, bindings/typescript/, bindings/ts/,
   .d.ts, vitest.config.ts, vite.config.ts, tsup.config.ts, tsconfig.json, and
   scripts/check-ts-allowlist.ts (regression archetype, see standards
   docs/EXEMPTION-MECHANISMS.adoc). Proof: a2ml/bindings/deno/mod.ts,
   k9-svc/bindings/deno/mod.ts, lol/test/vitest.config.ts. Also ~437 says
   banned_language_file "hard-refuses to suppress" via baseline, yet standards
   baselines a2ml-templates/state-scm-to-v2.py and it still flags — make the
   intended behaviour consistent.

6) Count inflation: standards has only 5 banned-language files but report says
   "64 critical". Investigate multi-counting (scanner walking each embedded
   sub-project root) and de-dup.

Validate: scan standards@main before/after — listed FPs -> 0 while real
detections still fire. Add unit tests per fix. Respect the existing licence cap
(license_finding_strategy = :review, flag-only) — don't touch it. Open draft
PR(s) and link standards#370.

Source references confirmed against hypatia@main raw source on 2026-06-04.

---

Generated by Claude Code