@@ -19,12 +19,20 @@ concurrency:
1919
2020permissions :
2121 contents : read
22- # security-events: read lets the built-in GITHUB_TOKEN query this
23- # repo's own Dependabot alerts via the Hypatia DependabotAlerts rule
24- # (DA001-DA004). Without this, `scan_from_path` gets HTTP 403 and
25- # the rule silently returns no findings.
26- # See 007-lang/audits/audit-dependabot-automation-gap-2026-04-17.md.
27- security-events : read
22+ # security-events: write serves two purposes (write implies read):
23+ # 1. read — lets the built-in GITHUB_TOKEN query this repo's own
24+ # Dependabot alerts via the Hypatia DependabotAlerts rule
25+ # (DA001-DA004). Without read, `scan_from_path` gets HTTP 403
26+ # and the rule silently returns no findings.
27+ # See 007-lang/audits/audit-dependabot-automation-gap-2026-04-17.md.
28+ # 2. write — lets the "Upload SARIF to code scanning" step publish
29+ # Hypatia findings to the Security → Code scanning page so they
30+ # are triaged/deduplicated like CodeQL alerts instead of living
31+ # only in a build artifact nobody is required to look at.
32+ # See hyperpolymath/burble#35 (SARIF integration).
33+ # This is a single-job workflow, so job-level scoping would not
34+ # narrow the grant further; it stays workflow-level and documented.
35+ security-events : write
2836 # pull-requests: write lets the advisory "Comment on PR with findings"
2937 # step post its summary. Without it the built-in GITHUB_TOKEN gets
3038 # "Resource not accessible by integration" and (absent continue-on-error)
4553 - name : Setup Elixir for Hypatia scanner
4654 uses : erlef/setup-beam@fc68ffb90438ef2936bbb3251622353b3dcb2f93 # v1.18.2
4755 with :
48- elixir-version : ' 1.19.4 '
49- otp-version : ' 28.3 '
56+ elixir-version : ' 1.18 '
57+ otp-version : ' 27 '
5058
5159 - name : Clone Hypatia
5260 run : |
@@ -103,6 +111,143 @@ jobs:
103111 path : hypatia-findings.json
104112 retention-days : 90
105113
114+ - name : Convert Hypatia findings to SARIF
115+ # Always runs (no findings_count guard): an EMPTY SARIF run is
116+ # valid and intentional — uploading it clears stale Hypatia
117+ # alerts from the code-scanning page when a repo goes clean.
118+ # The converter is dependency-free Node (Node ships on
119+ # ubuntu-latest; no npm install — estate npm ban respected) and
120+ # is hardened against the heterogeneous Hypatia JSON schema:
121+ # most findings are {rule_module,severity,type,file,reason,
122+ # action}; only some carry an integer `line`; `file` may be
123+ # empty or absolute. See lib/hypatia/cli.ex (collect_findings).
124+ run : |
125+ cat > "$RUNNER_TEMP/hypatia-sarif.cjs" <<'CJS'
126+ const fs = require('fs');
127+ const path = require('path');
128+ const crypto = require('crypto');
129+
130+ const ws = process.env.GITHUB_WORKSPACE || process.cwd();
131+
132+ let findings = [];
133+ try {
134+ const parsed = JSON.parse(fs.readFileSync('hypatia-findings.json', 'utf8'));
135+ if (Array.isArray(parsed)) findings = parsed;
136+ } catch (_) {
137+ // Scanner unavailable / empty / malformed -> empty SARIF.
138+ // Intentionally clears stale alerts rather than erroring.
139+ findings = [];
140+ }
141+
142+ // Mirrors Hypatia's own "github" annotation mapping
143+ // (lib/hypatia/cli.ex output/2): critical|high -> error,
144+ // medium -> warning, everything else -> note.
145+ const levelFor = (sev) => {
146+ switch (String(sev || '').toLowerCase()) {
147+ case 'critical':
148+ case 'high': return 'error';
149+ case 'medium': return 'warning';
150+ default: return 'note';
151+ }
152+ };
153+
154+ // SARIF artifactLocation.uri must be a repo-relative POSIX
155+ // path. Hypatia may emit absolute paths (scanned under
156+ // $GITHUB_WORKSPACE) or "" / "." for repo-level findings.
157+ const relUri = (file) => {
158+ if (!file) return '.';
159+ let f = String(file);
160+ if (path.isAbsolute(f)) {
161+ const rel = path.relative(ws, f);
162+ f = (rel && !rel.startsWith('..')) ? rel : path.basename(f);
163+ }
164+ f = f.replace(/\\/g, '/').replace(/^\.\//, '');
165+ return f || '.';
166+ };
167+
168+ const rules = new Map();
169+ const results = findings.map((f) => {
170+ const mod = String(f.rule_module || 'hypatia');
171+ const type = String(f.type || 'finding');
172+ const ruleId = `hypatia/${mod}/${type}`;
173+ const level = levelFor(f.severity);
174+ if (!rules.has(ruleId)) {
175+ rules.set(ruleId, {
176+ id: ruleId,
177+ name: `${mod}.${type}`,
178+ shortDescription: { text: `Hypatia ${mod}: ${type}` },
179+ defaultConfiguration: { level }
180+ });
181+ }
182+ const uri = relUri(f.file);
183+ const msg = String(f.reason || f.type || 'Hypatia finding');
184+ const startLine =
185+ Number.isInteger(f.line) && f.line > 0 ? f.line : 1;
186+ // Stable cross-run fingerprint for dedupe (no line, so a
187+ // moved finding in the same file/rule stays one alert).
188+ const fp = crypto
189+ .createHash('sha256')
190+ .update([ruleId, uri, type, msg].join('|'))
191+ .digest('hex');
192+ return {
193+ ruleId,
194+ level,
195+ message: { text: msg },
196+ locations: [
197+ {
198+ physicalLocation: {
199+ artifactLocation: { uri },
200+ region: { startLine }
201+ }
202+ }
203+ ],
204+ partialFingerprints: { 'hypatiaFindingHash/v1': fp }
205+ };
206+ });
207+
208+ const sarif = {
209+ $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
210+ version: '2.1.0',
211+ runs: [
212+ {
213+ tool: {
214+ driver: {
215+ name: 'Hypatia',
216+ informationUri: 'https://github.com/hyperpolymath/hypatia',
217+ rules: Array.from(rules.values())
218+ }
219+ },
220+ results
221+ }
222+ ]
223+ };
224+
225+ fs.writeFileSync('hypatia.sarif', JSON.stringify(sarif, null, 2));
226+ console.log(`hypatia.sarif written: ${results.length} result(s).`);
227+ CJS
228+ node "$RUNNER_TEMP/hypatia-sarif.cjs"
229+
230+ name : Upload SARIF to GitHub code scanning
231+ # Fork PRs get a read-only GITHUB_TOKEN, so security-events:write
232+ # is unavailable and upload-sarif cannot publish — skip there
233+ # rather than hard-fail (the push/schedule run on the default
234+ # branch is the authoritative upload). Same-repo PRs and pushes
235+ # do upload. This step is deliberately NOT continue-on-error:
236+ # if the security-surface integration breaks we want a loud red,
237+ # not a silently-ungated scanner (the exact failure mode #35
238+ # exists to end). The empty-SARIF "clear stale alerts" path is
239+ # handled in the converter above and does not error here.
240+ if : >-
241+ always() &&
242+ (github.event_name != 'pull_request' ||
243+ github.event.pull_request.head.repo.fork != true)
244+ uses : github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v3.28.1
245+ with :
246+ sarif_file : hypatia.sarif
247+ # Distinct category so Hypatia results coexist with CodeQL's
248+ # (codeql.yml) instead of overwriting them on the same surface.
249+ category : hypatia
250+
106251 - name : Submit findings to gitbot-fleet (Phase 2)
107252 if : steps.scan.outputs.findings_count > 0
108253 # Phase 2 is the collaborative LEARNING side-channel ("bots share
@@ -174,11 +319,21 @@ jobs:
174319
175320name : Check for critical issues
176321 if : steps.scan.outputs.critical > 0
322+ # GATING POLICY (explicit, by design — not an oversight):
323+ # Hypatia is ADVISORY here. Critical findings are surfaced
324+ # (step annotation + SARIF alert on the code-scanning page +
325+ # PR comment) but do NOT fail this check. Enforcement is
326+ # delegated to the code-scanning surface: tighten by adding a
327+ # branch-protection "required" status on the `hypatia` SARIF
328+ # category, not by reintroducing an `exit 1` here. This keeps
329+ # the gate decision in one auditable place (hypatia#213 gate
330+ # decoupling) and lets a repo opt into fail-on-critical without
331+ # editing this canonical workflow. To change the policy, change
332+ # branch protection — deliberately no commented-out `exit 1`.
177333 run : |
178- echo "⚠️ Critical security issues found!"
179- echo "Review hypatia-findings.json for details"
180- # Don't fail the build yet - just warn
181- # exit 1
334+ echo "::warning::Hypatia found critical security issue(s) — advisory."
335+ echo "See the Security → Code scanning page (category: hypatia)"
336+ echo "and the hypatia-findings.json artifact for details."
182337
183338name : Generate scan report
184339 run : |
@@ -200,9 +355,14 @@ jobs:
200355
201356 ## Next Steps
202357
203- 1. Review findings in the artifact: hypatia-findings.json
204- 2. Auto-fixable issues will be addressed by robot-repo-automaton (Phase 3)
205- 3. Manual review required for complex issues
358+ 1. Triage findings on the **Security → Code scanning** page
359+ (SARIF category \`hypatia\`) — dismiss/track them there like
360+ CodeQL alerts.
361+ 2. The full finding set is also attached as the
362+ \`hypatia-findings.json\` build artifact for offline review.
363+ 3. Findings are **advisory** today (surfaced, not gated); the
364+ gating policy is documented in the workflow's "Check for
365+ critical issues" step.
206366
207367 ## Learning
208368
0 commit comments