Skip to content

Playbook Repository Security Assessment

Hermes Agent edited this page Jul 11, 2026 · 1 revision

Repository Security Assessment

This page is explanatory. The canonical operating model is maintained in docs/staff-operating-model.md.

Objective

Assess a repository for security-relevant design, implementation, dependency, and workflow risks.

Inputs

  • repository URL or local path
  • scope focus (for example: authz, secrets handling, CI, supply chain)
  • supporting docs or known constraints

SMEs involved

Typically security-code-review, security-architecture, security-appsec-assessment, and security-qa.

Flow

  1. intake and scoping
  2. repo mapping and high-signal surface selection
  3. code/config/document review
  4. cross-SME synthesis
  5. QA

Gates

  • scope qualification
  • evidence sufficiency
  • QA pass before final report

Outputs

  • findings and observations
  • architecture or code risks
  • remediation priorities
  • assumptions and residual risk

Limitations

Repo-only analysis may not reveal runtime-effective behavior.

Sanitized example

Review a public multi-service repo for authz boundary gaps and risky operational defaults.

Clone this wiki locally