Compliance Audit — 2026-05-12
This umbrella issue tracks all findings from the automated compliance audit run on 2026-05-12.
Findings are grouped by remediation category. Address each category together to avoid duplicate agent PRs.
Total findings: 139 across 8 repositories
Remediation Work Breakdown
Repository Settings (44 finding(s))
Remediation: apply-repo-settings.sh
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github-private |
allow_auto_merge |
warning |
.github-private |
delete_branch_on_merge |
warning |
.github-private |
codeowners-org-leads-not-first |
error |
.github-private |
codeowners-no-catchall |
warning |
.github-private |
check-suite-auto-trigger-1236702 |
error |
.github-private |
check-suite-auto-trigger-347564 |
error |
broodly |
allow_auto_merge |
warning |
broodly |
delete_branch_on_merge |
warning |
broodly |
codeowners-org-leads-not-first |
error |
broodly |
codeowners-no-catchall |
warning |
broodly |
check-suite-auto-trigger-1236702 |
error |
broodly |
check-suite-auto-trigger-347564 |
error |
.github |
allow_auto_merge |
warning |
.github |
delete_branch_on_merge |
warning |
.github |
codeowners-org-leads-not-first |
error |
.github |
codeowners-no-catchall |
warning |
.github |
check-suite-auto-trigger-1236702 |
error |
.github |
check-suite-auto-trigger-347564 |
error |
bmad-bgreat-suite |
allow_auto_merge |
warning |
bmad-bgreat-suite |
delete_branch_on_merge |
warning |
bmad-bgreat-suite |
check-suite-auto-trigger-1236702 |
error |
bmad-bgreat-suite |
check-suite-auto-trigger-347564 |
error |
ContentTwin |
allow_auto_merge |
warning |
ContentTwin |
delete_branch_on_merge |
warning |
ContentTwin |
codeowners-org-leads-not-first |
error |
ContentTwin |
codeowners-no-catchall |
warning |
ContentTwin |
check-suite-auto-trigger-1236702 |
error |
ContentTwin |
check-suite-auto-trigger-347564 |
error |
markets |
allow_auto_merge |
warning |
markets |
delete_branch_on_merge |
warning |
markets |
check-suite-auto-trigger-1236702 |
error |
markets |
check-suite-auto-trigger-347564 |
error |
google-app-scripts |
allow_auto_merge |
warning |
google-app-scripts |
delete_branch_on_merge |
warning |
google-app-scripts |
codeowners-org-leads-not-first |
error |
google-app-scripts |
codeowners-no-catchall |
warning |
google-app-scripts |
check-suite-auto-trigger-1236702 |
error |
google-app-scripts |
check-suite-auto-trigger-347564 |
error |
TalkTerm |
allow_auto_merge |
warning |
TalkTerm |
delete_branch_on_merge |
warning |
TalkTerm |
codeowners-org-leads-not-first |
error |
TalkTerm |
codeowners-no-catchall |
warning |
TalkTerm |
check-suite-auto-trigger-1236702 |
error |
TalkTerm |
check-suite-auto-trigger-347564 |
error |
Push Protection & Secret Scanning (26 finding(s))
Remediation: apply-repo-settings.sh (security_and_analysis) + per-repo ci.yml and .gitignore
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github-private |
secret_scanning_ai_detection |
warning |
.github-private |
secret_scanning_non_provider_patterns |
warning |
.github-private |
gitignore_secrets_block |
warning |
broodly |
secret_scanning_ai_detection |
warning |
broodly |
secret_scanning_non_provider_patterns |
warning |
broodly |
dependabot_security_updates |
warning |
broodly |
secret_scan_ci_job_present |
error |
.github |
secret_scanning_ai_detection |
warning |
.github |
secret_scanning_non_provider_patterns |
warning |
.github |
secret_scan_ci_job_present |
error |
bmad-bgreat-suite |
secret_scanning_ai_detection |
warning |
bmad-bgreat-suite |
secret_scanning_non_provider_patterns |
warning |
bmad-bgreat-suite |
secret_scan_ci_job_present |
error |
bmad-bgreat-suite |
gitignore_secrets_block |
warning |
ContentTwin |
secret_scanning_ai_detection |
warning |
ContentTwin |
secret_scanning_non_provider_patterns |
warning |
ContentTwin |
dependabot_security_updates |
warning |
ContentTwin |
secret_scan_ci_job_present |
error |
markets |
secret_scanning_ai_detection |
warning |
markets |
secret_scanning_non_provider_patterns |
warning |
markets |
secret_scan_ci_job_present |
error |
google-app-scripts |
secret_scanning_ai_detection |
warning |
google-app-scripts |
secret_scanning_non_provider_patterns |
warning |
google-app-scripts |
gitignore_secrets_block |
warning |
TalkTerm |
secret_scanning_ai_detection |
warning |
TalkTerm |
secret_scanning_non_provider_patterns |
warning |
Workflows (22 finding(s))
Remediation: per-repo workflow additions
Affected repos: .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github-private |
missing-ci.yml |
error |
.github-private |
missing-pr-review-mention.yml |
error |
.github-private |
non-stub-auto-rebase.yml |
error |
.github-private |
non-stub-dependabot-automerge.yml |
error |
.github-private |
non-stub-agent-shield.yml |
error |
broodly |
stray-codeql-workflow |
error |
broodly |
non-stub-dependabot-rebase.yml |
error |
bmad-bgreat-suite |
stray-codeql-workflow |
error |
bmad-bgreat-suite |
non-stub-auto-rebase.yml |
error |
bmad-bgreat-suite |
non-stub-dependabot-rebase.yml |
error |
ContentTwin |
stray-codeql-workflow |
error |
ContentTwin |
non-stub-dependabot-automerge.yml |
error |
ContentTwin |
non-stub-dependabot-rebase.yml |
error |
ContentTwin |
non-stub-pr-review-mention.yml |
error |
markets |
stray-codeql-workflow |
error |
markets |
non-stub-dependabot-rebase.yml |
error |
google-app-scripts |
stray-codeql-workflow |
error |
google-app-scripts |
non-stub-dependabot-rebase.yml |
error |
TalkTerm |
non-stub-dependency-audit.yml |
error |
TalkTerm |
non-stub-dependabot-automerge.yml |
error |
TalkTerm |
non-stub-agent-shield.yml |
error |
TalkTerm |
non-stub-feature-ideation.yml |
error |
Action SHA Pinning (42 finding(s))
Remediation: pin actions to SHA in each workflow file
Affected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github-private |
unpinned-actions-claude.yml |
error |
.github-private |
unpinned-actions-dependency-audit.yml |
error |
.github-private |
unpinned-actions-pr-review.yml |
error |
.github-private |
unpinned-actions-repair-pr-approvals.yml |
error |
broodly |
unpinned-actions-agent-shield.yml |
error |
broodly |
unpinned-actions-auto-rebase.yml |
error |
broodly |
unpinned-actions-claude.yml |
error |
broodly |
unpinned-actions-dependabot-automerge.yml |
error |
broodly |
unpinned-actions-dependency-audit.yml |
error |
broodly |
unpinned-actions-feature-ideation.yml |
error |
broodly |
unpinned-actions-pr-review-mention.yml |
error |
.github |
unpinned-actions-agent-shield.yml |
error |
.github |
unpinned-actions-claude.yml |
error |
.github |
unpinned-actions-dependabot-automerge.yml |
error |
.github |
unpinned-actions-dependency-audit.yml |
error |
bmad-bgreat-suite |
unpinned-actions-agent-shield.yml |
error |
bmad-bgreat-suite |
unpinned-actions-claude.yml |
error |
bmad-bgreat-suite |
unpinned-actions-dependabot-automerge.yml |
error |
bmad-bgreat-suite |
unpinned-actions-dependency-audit.yml |
error |
bmad-bgreat-suite |
unpinned-actions-pr-review-mention.yml |
error |
ContentTwin |
unpinned-actions-agent-shield.yml |
error |
ContentTwin |
unpinned-actions-auto-rebase.yml |
error |
ContentTwin |
unpinned-actions-claude.yml |
error |
ContentTwin |
unpinned-actions-dependency-audit.yml |
error |
markets |
unpinned-actions-agent-shield.yml |
error |
markets |
unpinned-actions-auto-rebase.yml |
error |
markets |
unpinned-actions-claude.yml |
error |
markets |
unpinned-actions-dependabot-automerge.yml |
error |
markets |
unpinned-actions-dependency-audit.yml |
error |
markets |
unpinned-actions-feature-ideation.yml |
error |
markets |
unpinned-actions-pr-review-mention.yml |
error |
google-app-scripts |
unpinned-actions-agent-shield.yml |
error |
google-app-scripts |
unpinned-actions-auto-rebase.yml |
error |
google-app-scripts |
unpinned-actions-claude.yml |
error |
google-app-scripts |
unpinned-actions-dependabot-automerge.yml |
error |
google-app-scripts |
unpinned-actions-dependency-audit.yml |
error |
google-app-scripts |
unpinned-actions-feature-ideation.yml |
error |
google-app-scripts |
unpinned-actions-pr-review-mention.yml |
error |
TalkTerm |
unpinned-actions-auto-rebase.yml |
error |
TalkTerm |
unpinned-actions-claude.yml |
error |
TalkTerm |
unpinned-actions-dependabot-rebase.yml |
error |
TalkTerm |
unpinned-actions-pr-review-mention.yml |
error |
Dependabot Configuration (4 finding(s))
Remediation: per-repo .github/dependabot.yml
Affected repos: .github-private, google-app-scripts
| Repo |
Check |
Severity |
.github-private |
missing-github-actions-ecosystem |
error |
.github-private |
missing-security-label |
warning |
.github-private |
missing-dependencies-label |
warning |
google-app-scripts |
wrong-limit-npm |
warning |
CLAUDE.md / AGENTS.md References (1 finding(s))
Remediation: per-repo doc updates
Affected repos: .github-private
| Repo |
Check |
Severity |
.github-private |
claude-md-missing-agents-ref |
error |
Generated by the weekly compliance audit on 2026-05-12 19:00 UTC.
Address each remediation category as a single coordinated PR to avoid duplicate agent work.
Compliance Audit — 2026-05-12
This umbrella issue tracks all findings from the automated compliance audit run on 2026-05-12.
Findings are grouped by remediation category. Address each category together to avoid duplicate agent PRs.
Total findings: 139 across 8 repositories
Remediation Work Breakdown
Repository Settings (44 finding(s))
Remediation:
apply-repo-settings.shAffected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.github-privateallow_auto_mergewarning.github-privatedelete_branch_on_mergewarning.github-privatecodeowners-org-leads-not-firsterror.github-privatecodeowners-no-catchallwarning.github-privatecheck-suite-auto-trigger-1236702error.github-privatecheck-suite-auto-trigger-347564errorbroodlyallow_auto_mergewarningbroodlydelete_branch_on_mergewarningbroodlycodeowners-org-leads-not-firsterrorbroodlycodeowners-no-catchallwarningbroodlycheck-suite-auto-trigger-1236702errorbroodlycheck-suite-auto-trigger-347564error.githuballow_auto_mergewarning.githubdelete_branch_on_mergewarning.githubcodeowners-org-leads-not-firsterror.githubcodeowners-no-catchallwarning.githubcheck-suite-auto-trigger-1236702error.githubcheck-suite-auto-trigger-347564errorbmad-bgreat-suiteallow_auto_mergewarningbmad-bgreat-suitedelete_branch_on_mergewarningbmad-bgreat-suitecheck-suite-auto-trigger-1236702errorbmad-bgreat-suitecheck-suite-auto-trigger-347564errorContentTwinallow_auto_mergewarningContentTwindelete_branch_on_mergewarningContentTwincodeowners-org-leads-not-firsterrorContentTwincodeowners-no-catchallwarningContentTwincheck-suite-auto-trigger-1236702errorContentTwincheck-suite-auto-trigger-347564errormarketsallow_auto_mergewarningmarketsdelete_branch_on_mergewarningmarketscheck-suite-auto-trigger-1236702errormarketscheck-suite-auto-trigger-347564errorgoogle-app-scriptsallow_auto_mergewarninggoogle-app-scriptsdelete_branch_on_mergewarninggoogle-app-scriptscodeowners-org-leads-not-firsterrorgoogle-app-scriptscodeowners-no-catchallwarninggoogle-app-scriptscheck-suite-auto-trigger-1236702errorgoogle-app-scriptscheck-suite-auto-trigger-347564errorTalkTermallow_auto_mergewarningTalkTermdelete_branch_on_mergewarningTalkTermcodeowners-org-leads-not-firsterrorTalkTermcodeowners-no-catchallwarningTalkTermcheck-suite-auto-trigger-1236702errorTalkTermcheck-suite-auto-trigger-347564errorPush Protection & Secret Scanning (26 finding(s))
Remediation:
apply-repo-settings.sh (security_and_analysis) + per-repo ci.yml and .gitignoreAffected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.github-privatesecret_scanning_ai_detectionwarning.github-privatesecret_scanning_non_provider_patternswarning.github-privategitignore_secrets_blockwarningbroodlysecret_scanning_ai_detectionwarningbroodlysecret_scanning_non_provider_patternswarningbroodlydependabot_security_updateswarningbroodlysecret_scan_ci_job_presenterror.githubsecret_scanning_ai_detectionwarning.githubsecret_scanning_non_provider_patternswarning.githubsecret_scan_ci_job_presenterrorbmad-bgreat-suitesecret_scanning_ai_detectionwarningbmad-bgreat-suitesecret_scanning_non_provider_patternswarningbmad-bgreat-suitesecret_scan_ci_job_presenterrorbmad-bgreat-suitegitignore_secrets_blockwarningContentTwinsecret_scanning_ai_detectionwarningContentTwinsecret_scanning_non_provider_patternswarningContentTwindependabot_security_updateswarningContentTwinsecret_scan_ci_job_presenterrormarketssecret_scanning_ai_detectionwarningmarketssecret_scanning_non_provider_patternswarningmarketssecret_scan_ci_job_presenterrorgoogle-app-scriptssecret_scanning_ai_detectionwarninggoogle-app-scriptssecret_scanning_non_provider_patternswarninggoogle-app-scriptsgitignore_secrets_blockwarningTalkTermsecret_scanning_ai_detectionwarningTalkTermsecret_scanning_non_provider_patternswarningWorkflows (22 finding(s))
Remediation:
per-repo workflow additionsAffected repos: .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.github-privatemissing-ci.ymlerror.github-privatemissing-pr-review-mention.ymlerror.github-privatenon-stub-auto-rebase.ymlerror.github-privatenon-stub-dependabot-automerge.ymlerror.github-privatenon-stub-agent-shield.ymlerrorbroodlystray-codeql-workflowerrorbroodlynon-stub-dependabot-rebase.ymlerrorbmad-bgreat-suitestray-codeql-workflowerrorbmad-bgreat-suitenon-stub-auto-rebase.ymlerrorbmad-bgreat-suitenon-stub-dependabot-rebase.ymlerrorContentTwinstray-codeql-workflowerrorContentTwinnon-stub-dependabot-automerge.ymlerrorContentTwinnon-stub-dependabot-rebase.ymlerrorContentTwinnon-stub-pr-review-mention.ymlerrormarketsstray-codeql-workflowerrormarketsnon-stub-dependabot-rebase.ymlerrorgoogle-app-scriptsstray-codeql-workflowerrorgoogle-app-scriptsnon-stub-dependabot-rebase.ymlerrorTalkTermnon-stub-dependency-audit.ymlerrorTalkTermnon-stub-dependabot-automerge.ymlerrorTalkTermnon-stub-agent-shield.ymlerrorTalkTermnon-stub-feature-ideation.ymlerrorAction SHA Pinning (42 finding(s))
Remediation:
pin actions to SHA in each workflow fileAffected repos: .github, .github-private, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.github-privateunpinned-actions-claude.ymlerror.github-privateunpinned-actions-dependency-audit.ymlerror.github-privateunpinned-actions-pr-review.ymlerror.github-privateunpinned-actions-repair-pr-approvals.ymlerrorbroodlyunpinned-actions-agent-shield.ymlerrorbroodlyunpinned-actions-auto-rebase.ymlerrorbroodlyunpinned-actions-claude.ymlerrorbroodlyunpinned-actions-dependabot-automerge.ymlerrorbroodlyunpinned-actions-dependency-audit.ymlerrorbroodlyunpinned-actions-feature-ideation.ymlerrorbroodlyunpinned-actions-pr-review-mention.ymlerror.githubunpinned-actions-agent-shield.ymlerror.githubunpinned-actions-claude.ymlerror.githubunpinned-actions-dependabot-automerge.ymlerror.githubunpinned-actions-dependency-audit.ymlerrorbmad-bgreat-suiteunpinned-actions-agent-shield.ymlerrorbmad-bgreat-suiteunpinned-actions-claude.ymlerrorbmad-bgreat-suiteunpinned-actions-dependabot-automerge.ymlerrorbmad-bgreat-suiteunpinned-actions-dependency-audit.ymlerrorbmad-bgreat-suiteunpinned-actions-pr-review-mention.ymlerrorContentTwinunpinned-actions-agent-shield.ymlerrorContentTwinunpinned-actions-auto-rebase.ymlerrorContentTwinunpinned-actions-claude.ymlerrorContentTwinunpinned-actions-dependency-audit.ymlerrormarketsunpinned-actions-agent-shield.ymlerrormarketsunpinned-actions-auto-rebase.ymlerrormarketsunpinned-actions-claude.ymlerrormarketsunpinned-actions-dependabot-automerge.ymlerrormarketsunpinned-actions-dependency-audit.ymlerrormarketsunpinned-actions-feature-ideation.ymlerrormarketsunpinned-actions-pr-review-mention.ymlerrorgoogle-app-scriptsunpinned-actions-agent-shield.ymlerrorgoogle-app-scriptsunpinned-actions-auto-rebase.ymlerrorgoogle-app-scriptsunpinned-actions-claude.ymlerrorgoogle-app-scriptsunpinned-actions-dependabot-automerge.ymlerrorgoogle-app-scriptsunpinned-actions-dependency-audit.ymlerrorgoogle-app-scriptsunpinned-actions-feature-ideation.ymlerrorgoogle-app-scriptsunpinned-actions-pr-review-mention.ymlerrorTalkTermunpinned-actions-auto-rebase.ymlerrorTalkTermunpinned-actions-claude.ymlerrorTalkTermunpinned-actions-dependabot-rebase.ymlerrorTalkTermunpinned-actions-pr-review-mention.ymlerrorDependabot Configuration (4 finding(s))
Remediation:
per-repo .github/dependabot.ymlAffected repos: .github-private, google-app-scripts
.github-privatemissing-github-actions-ecosystemerror.github-privatemissing-security-labelwarning.github-privatemissing-dependencies-labelwarninggoogle-app-scriptswrong-limit-npmwarningCLAUDE.md / AGENTS.md References (1 finding(s))
Remediation:
per-repo doc updatesAffected repos: .github-private
.github-privateclaude-md-missing-agents-referrorGenerated by the weekly compliance audit on 2026-05-12 19:00 UTC.
Address each remediation category as a single coordinated PR to avoid duplicate agent work.