Compliance Audit — 2026-05-08
This umbrella issue tracks all findings from the automated compliance audit run on 2026-05-08.
Findings are grouped by remediation category. Address each category together to avoid duplicate agent PRs.
Total findings: 136 across 8 repositories
Remediation Work Breakdown
Repository Settings (47 finding(s))
Remediation: apply-repo-settings.sh
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github |
allow_auto_merge |
warning |
.github |
delete_branch_on_merge |
warning |
.github |
codeowners-org-leads-not-first |
error |
.github |
codeowners-no-catchall |
warning |
.github |
check-suite-auto-trigger-1236702 |
error |
.github |
check-suite-auto-trigger-347564 |
error |
TalkTerm |
allow_auto_merge |
warning |
TalkTerm |
delete_branch_on_merge |
warning |
TalkTerm |
codeowners-org-leads-not-first |
error |
TalkTerm |
codeowners-no-catchall |
warning |
TalkTerm |
check-suite-auto-trigger-1236702 |
error |
TalkTerm |
check-suite-auto-trigger-347564 |
error |
.github-private |
allow_auto_merge |
warning |
.github-private |
delete_branch_on_merge |
warning |
.github-private |
has_discussions |
error |
.github-private |
codeowners-org-leads-not-first |
error |
.github-private |
codeowners-no-catchall |
warning |
.github-private |
check-suite-auto-trigger-1236702 |
error |
.github-private |
check-suite-auto-trigger-347564 |
error |
markets |
allow_auto_merge |
warning |
markets |
delete_branch_on_merge |
warning |
markets |
codeowners-org-leads-not-first |
error |
markets |
codeowners-no-catchall |
warning |
markets |
check-suite-auto-trigger-1236702 |
error |
markets |
check-suite-auto-trigger-347564 |
error |
ContentTwin |
allow_auto_merge |
warning |
ContentTwin |
delete_branch_on_merge |
warning |
ContentTwin |
codeowners-org-leads-not-first |
error |
ContentTwin |
codeowners-no-catchall |
warning |
ContentTwin |
check-suite-auto-trigger-1236702 |
error |
ContentTwin |
check-suite-auto-trigger-347564 |
error |
broodly |
allow_auto_merge |
warning |
broodly |
delete_branch_on_merge |
warning |
broodly |
codeowners-org-leads-not-first |
error |
broodly |
codeowners-no-catchall |
warning |
broodly |
check-suite-auto-trigger-1236702 |
error |
broodly |
check-suite-auto-trigger-347564 |
error |
google-app-scripts |
allow_auto_merge |
warning |
google-app-scripts |
delete_branch_on_merge |
warning |
google-app-scripts |
codeowners-org-leads-not-first |
error |
google-app-scripts |
codeowners-no-catchall |
warning |
google-app-scripts |
check-suite-auto-trigger-1236702 |
error |
google-app-scripts |
check-suite-auto-trigger-347564 |
error |
bmad-bgreat-suite |
allow_auto_merge |
warning |
bmad-bgreat-suite |
delete_branch_on_merge |
warning |
bmad-bgreat-suite |
check-suite-auto-trigger-1236702 |
error |
bmad-bgreat-suite |
check-suite-auto-trigger-347564 |
error |
Push Protection & Secret Scanning (17 finding(s))
Remediation: apply-repo-settings.sh (security_and_analysis) + per-repo ci.yml and .gitignore
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github |
security_and_analysis_unavailable |
warning |
.github |
secret_scan_ci_job_present |
error |
TalkTerm |
security_and_analysis_unavailable |
warning |
.github-private |
security_and_analysis_unavailable |
warning |
.github-private |
gitignore_secrets_block |
warning |
markets |
security_and_analysis_unavailable |
warning |
markets |
secret_scan_ci_job_present |
error |
ContentTwin |
security_and_analysis_unavailable |
warning |
ContentTwin |
secret_scan_ci_job_present |
error |
broodly |
security_and_analysis_unavailable |
warning |
broodly |
secret_scan_ci_job_present |
error |
broodly |
gitignore_secrets_block |
warning |
google-app-scripts |
security_and_analysis_unavailable |
warning |
google-app-scripts |
gitignore_secrets_block |
warning |
bmad-bgreat-suite |
security_and_analysis_unavailable |
warning |
bmad-bgreat-suite |
secret_scan_ci_job_present |
error |
bmad-bgreat-suite |
gitignore_secrets_block |
warning |
Repository Rulesets (2 finding(s))
Remediation: apply-rulesets.sh
Affected repos: .github-private
| Repo |
Check |
Severity |
.github-private |
missing-pr-quality |
error |
.github-private |
missing-code-quality |
error |
Workflows (29 finding(s))
Remediation: per-repo workflow additions
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github |
codeql-default-setup-not-configured |
error |
TalkTerm |
codeql-default-setup-not-configured |
error |
TalkTerm |
non-stub-dependency-audit.yml |
error |
TalkTerm |
non-stub-dependabot-automerge.yml |
error |
TalkTerm |
non-stub-agent-shield.yml |
error |
TalkTerm |
non-stub-feature-ideation.yml |
error |
.github-private |
missing-ci.yml |
error |
.github-private |
missing-sonarcloud.yml |
error |
.github-private |
missing-dependabot-automerge.yml |
error |
.github-private |
missing-dependency-audit.yml |
error |
.github-private |
missing-agent-shield.yml |
error |
.github-private |
codeql-default-setup-not-configured |
error |
.github-private |
claude-missing-check-run-trigger |
warning |
.github-private |
non-stub-claude.yml |
error |
markets |
codeql-default-setup-not-configured |
error |
markets |
stray-codeql-workflow |
error |
markets |
non-stub-dependabot-rebase.yml |
error |
ContentTwin |
codeql-default-setup-not-configured |
error |
ContentTwin |
stray-codeql-workflow |
error |
ContentTwin |
non-stub-dependabot-rebase.yml |
error |
broodly |
codeql-default-setup-not-configured |
error |
broodly |
stray-codeql-workflow |
error |
broodly |
non-stub-dependabot-rebase.yml |
error |
google-app-scripts |
codeql-default-setup-not-configured |
error |
google-app-scripts |
stray-codeql-workflow |
error |
google-app-scripts |
non-stub-dependabot-rebase.yml |
error |
bmad-bgreat-suite |
codeql-default-setup-not-configured |
error |
bmad-bgreat-suite |
stray-codeql-workflow |
error |
bmad-bgreat-suite |
non-stub-auto-rebase.yml |
error |
Action SHA Pinning (35 finding(s))
Remediation: pin actions to SHA in each workflow file
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github |
unpinned-actions-agent-shield.yml |
error |
.github |
unpinned-actions-claude.yml |
error |
.github |
unpinned-actions-dependency-audit.yml |
error |
TalkTerm |
unpinned-actions-auto-rebase.yml |
error |
TalkTerm |
unpinned-actions-claude.yml |
error |
TalkTerm |
unpinned-actions-dependabot-rebase.yml |
error |
.github-private |
unpinned-actions-pr-review.yml |
error |
.github-private |
unpinned-actions-repair-pr-approvals.yml |
error |
markets |
unpinned-actions-agent-shield.yml |
error |
markets |
unpinned-actions-auto-rebase.yml |
error |
markets |
unpinned-actions-claude.yml |
error |
markets |
unpinned-actions-dependabot-automerge.yml |
error |
markets |
unpinned-actions-dependency-audit.yml |
error |
markets |
unpinned-actions-feature-ideation.yml |
error |
ContentTwin |
unpinned-actions-agent-shield.yml |
error |
ContentTwin |
unpinned-actions-auto-rebase.yml |
error |
ContentTwin |
unpinned-actions-claude.yml |
error |
ContentTwin |
unpinned-actions-dependabot-automerge.yml |
error |
ContentTwin |
unpinned-actions-dependency-audit.yml |
error |
broodly |
unpinned-actions-agent-shield.yml |
error |
broodly |
unpinned-actions-auto-rebase.yml |
error |
broodly |
unpinned-actions-claude.yml |
error |
broodly |
unpinned-actions-dependabot-automerge.yml |
error |
broodly |
unpinned-actions-dependency-audit.yml |
error |
broodly |
unpinned-actions-feature-ideation.yml |
error |
google-app-scripts |
unpinned-actions-agent-shield.yml |
error |
google-app-scripts |
unpinned-actions-auto-rebase.yml |
error |
google-app-scripts |
unpinned-actions-claude.yml |
error |
google-app-scripts |
unpinned-actions-dependabot-automerge.yml |
error |
google-app-scripts |
unpinned-actions-dependency-audit.yml |
error |
google-app-scripts |
unpinned-actions-feature-ideation.yml |
error |
bmad-bgreat-suite |
unpinned-actions-agent-shield.yml |
error |
bmad-bgreat-suite |
unpinned-actions-claude.yml |
error |
bmad-bgreat-suite |
unpinned-actions-dependabot-automerge.yml |
error |
bmad-bgreat-suite |
unpinned-actions-dependency-audit.yml |
error |
Dependabot Configuration (4 finding(s))
Remediation: per-repo .github/dependabot.yml
Affected repos: .github-private, google-app-scripts
| Repo |
Check |
Severity |
.github-private |
missing-github-actions-ecosystem |
error |
.github-private |
missing-security-label |
warning |
.github-private |
missing-dependencies-label |
warning |
google-app-scripts |
wrong-limit-npm |
warning |
CLAUDE.md / AGENTS.md References (2 finding(s))
Remediation: per-repo doc updates
Affected repos: .github-private
| Repo |
Check |
Severity |
.github-private |
claude-md-missing-agents-ref |
error |
.github-private |
agents-md-missing-org-ref |
error |
Generated by the weekly compliance audit on 2026-05-08 14:15 UTC.
Address each remediation category as a single coordinated PR to avoid duplicate agent work.
Compliance Audit — 2026-05-08
This umbrella issue tracks all findings from the automated compliance audit run on 2026-05-08.
Findings are grouped by remediation category. Address each category together to avoid duplicate agent PRs.
Total findings: 136 across 8 repositories
Remediation Work Breakdown
Repository Settings (47 finding(s))
Remediation:
apply-repo-settings.shAffected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.githuballow_auto_mergewarning.githubdelete_branch_on_mergewarning.githubcodeowners-org-leads-not-firsterror.githubcodeowners-no-catchallwarning.githubcheck-suite-auto-trigger-1236702error.githubcheck-suite-auto-trigger-347564errorTalkTermallow_auto_mergewarningTalkTermdelete_branch_on_mergewarningTalkTermcodeowners-org-leads-not-firsterrorTalkTermcodeowners-no-catchallwarningTalkTermcheck-suite-auto-trigger-1236702errorTalkTermcheck-suite-auto-trigger-347564error.github-privateallow_auto_mergewarning.github-privatedelete_branch_on_mergewarning.github-privatehas_discussionserror.github-privatecodeowners-org-leads-not-firsterror.github-privatecodeowners-no-catchallwarning.github-privatecheck-suite-auto-trigger-1236702error.github-privatecheck-suite-auto-trigger-347564errormarketsallow_auto_mergewarningmarketsdelete_branch_on_mergewarningmarketscodeowners-org-leads-not-firsterrormarketscodeowners-no-catchallwarningmarketscheck-suite-auto-trigger-1236702errormarketscheck-suite-auto-trigger-347564errorContentTwinallow_auto_mergewarningContentTwindelete_branch_on_mergewarningContentTwincodeowners-org-leads-not-firsterrorContentTwincodeowners-no-catchallwarningContentTwincheck-suite-auto-trigger-1236702errorContentTwincheck-suite-auto-trigger-347564errorbroodlyallow_auto_mergewarningbroodlydelete_branch_on_mergewarningbroodlycodeowners-org-leads-not-firsterrorbroodlycodeowners-no-catchallwarningbroodlycheck-suite-auto-trigger-1236702errorbroodlycheck-suite-auto-trigger-347564errorgoogle-app-scriptsallow_auto_mergewarninggoogle-app-scriptsdelete_branch_on_mergewarninggoogle-app-scriptscodeowners-org-leads-not-firsterrorgoogle-app-scriptscodeowners-no-catchallwarninggoogle-app-scriptscheck-suite-auto-trigger-1236702errorgoogle-app-scriptscheck-suite-auto-trigger-347564errorbmad-bgreat-suiteallow_auto_mergewarningbmad-bgreat-suitedelete_branch_on_mergewarningbmad-bgreat-suitecheck-suite-auto-trigger-1236702errorbmad-bgreat-suitecheck-suite-auto-trigger-347564errorPush Protection & Secret Scanning (17 finding(s))
Remediation:
apply-repo-settings.sh (security_and_analysis) + per-repo ci.yml and .gitignoreAffected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.githubsecurity_and_analysis_unavailablewarning.githubsecret_scan_ci_job_presenterrorTalkTermsecurity_and_analysis_unavailablewarning.github-privatesecurity_and_analysis_unavailablewarning.github-privategitignore_secrets_blockwarningmarketssecurity_and_analysis_unavailablewarningmarketssecret_scan_ci_job_presenterrorContentTwinsecurity_and_analysis_unavailablewarningContentTwinsecret_scan_ci_job_presenterrorbroodlysecurity_and_analysis_unavailablewarningbroodlysecret_scan_ci_job_presenterrorbroodlygitignore_secrets_blockwarninggoogle-app-scriptssecurity_and_analysis_unavailablewarninggoogle-app-scriptsgitignore_secrets_blockwarningbmad-bgreat-suitesecurity_and_analysis_unavailablewarningbmad-bgreat-suitesecret_scan_ci_job_presenterrorbmad-bgreat-suitegitignore_secrets_blockwarningRepository Rulesets (2 finding(s))
Remediation:
apply-rulesets.shAffected repos: .github-private
.github-privatemissing-pr-qualityerror.github-privatemissing-code-qualityerrorWorkflows (29 finding(s))
Remediation:
per-repo workflow additionsAffected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.githubcodeql-default-setup-not-configurederrorTalkTermcodeql-default-setup-not-configurederrorTalkTermnon-stub-dependency-audit.ymlerrorTalkTermnon-stub-dependabot-automerge.ymlerrorTalkTermnon-stub-agent-shield.ymlerrorTalkTermnon-stub-feature-ideation.ymlerror.github-privatemissing-ci.ymlerror.github-privatemissing-sonarcloud.ymlerror.github-privatemissing-dependabot-automerge.ymlerror.github-privatemissing-dependency-audit.ymlerror.github-privatemissing-agent-shield.ymlerror.github-privatecodeql-default-setup-not-configurederror.github-privateclaude-missing-check-run-triggerwarning.github-privatenon-stub-claude.ymlerrormarketscodeql-default-setup-not-configurederrormarketsstray-codeql-workflowerrormarketsnon-stub-dependabot-rebase.ymlerrorContentTwincodeql-default-setup-not-configurederrorContentTwinstray-codeql-workflowerrorContentTwinnon-stub-dependabot-rebase.ymlerrorbroodlycodeql-default-setup-not-configurederrorbroodlystray-codeql-workflowerrorbroodlynon-stub-dependabot-rebase.ymlerrorgoogle-app-scriptscodeql-default-setup-not-configurederrorgoogle-app-scriptsstray-codeql-workflowerrorgoogle-app-scriptsnon-stub-dependabot-rebase.ymlerrorbmad-bgreat-suitecodeql-default-setup-not-configurederrorbmad-bgreat-suitestray-codeql-workflowerrorbmad-bgreat-suitenon-stub-auto-rebase.ymlerrorAction SHA Pinning (35 finding(s))
Remediation:
pin actions to SHA in each workflow fileAffected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.githubunpinned-actions-agent-shield.ymlerror.githubunpinned-actions-claude.ymlerror.githubunpinned-actions-dependency-audit.ymlerrorTalkTermunpinned-actions-auto-rebase.ymlerrorTalkTermunpinned-actions-claude.ymlerrorTalkTermunpinned-actions-dependabot-rebase.ymlerror.github-privateunpinned-actions-pr-review.ymlerror.github-privateunpinned-actions-repair-pr-approvals.ymlerrormarketsunpinned-actions-agent-shield.ymlerrormarketsunpinned-actions-auto-rebase.ymlerrormarketsunpinned-actions-claude.ymlerrormarketsunpinned-actions-dependabot-automerge.ymlerrormarketsunpinned-actions-dependency-audit.ymlerrormarketsunpinned-actions-feature-ideation.ymlerrorContentTwinunpinned-actions-agent-shield.ymlerrorContentTwinunpinned-actions-auto-rebase.ymlerrorContentTwinunpinned-actions-claude.ymlerrorContentTwinunpinned-actions-dependabot-automerge.ymlerrorContentTwinunpinned-actions-dependency-audit.ymlerrorbroodlyunpinned-actions-agent-shield.ymlerrorbroodlyunpinned-actions-auto-rebase.ymlerrorbroodlyunpinned-actions-claude.ymlerrorbroodlyunpinned-actions-dependabot-automerge.ymlerrorbroodlyunpinned-actions-dependency-audit.ymlerrorbroodlyunpinned-actions-feature-ideation.ymlerrorgoogle-app-scriptsunpinned-actions-agent-shield.ymlerrorgoogle-app-scriptsunpinned-actions-auto-rebase.ymlerrorgoogle-app-scriptsunpinned-actions-claude.ymlerrorgoogle-app-scriptsunpinned-actions-dependabot-automerge.ymlerrorgoogle-app-scriptsunpinned-actions-dependency-audit.ymlerrorgoogle-app-scriptsunpinned-actions-feature-ideation.ymlerrorbmad-bgreat-suiteunpinned-actions-agent-shield.ymlerrorbmad-bgreat-suiteunpinned-actions-claude.ymlerrorbmad-bgreat-suiteunpinned-actions-dependabot-automerge.ymlerrorbmad-bgreat-suiteunpinned-actions-dependency-audit.ymlerrorDependabot Configuration (4 finding(s))
Remediation:
per-repo .github/dependabot.ymlAffected repos: .github-private, google-app-scripts
.github-privatemissing-github-actions-ecosystemerror.github-privatemissing-security-labelwarning.github-privatemissing-dependencies-labelwarninggoogle-app-scriptswrong-limit-npmwarningCLAUDE.md / AGENTS.md References (2 finding(s))
Remediation:
per-repo doc updatesAffected repos: .github-private
.github-privateclaude-md-missing-agents-referror.github-privateagents-md-missing-org-referrorGenerated by the weekly compliance audit on 2026-05-08 14:15 UTC.
Address each remediation category as a single coordinated PR to avoid duplicate agent work.