feat(security): add Legitify SCM posture audit#472
Conversation
Integrate weekly SCM posture audit via Legit-Labs/legitify v1.0.11 (SHA-pinned) as a new job in security.yml. Findings publish to the GitHub Security tab via SARIF upload. Scope is limited to this repository (analyze_self_only: true) with a read-only fine-grained PAT. - security.yml: legitify-analyze job (PR skip, no checkout, SARIF upload) - SECURITY.md: document under CI/CD Security, register SCM_TOKEN secret - GOVERNANCE.md: add as a sekimori-ishi after Branch Protection Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [VS Code](https://code.visualstudio.com/) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
🦥 Slow's Code Review 😩...yawn... Do I really have to review this?
| Split it up... reading long files is exhausting.
This review was reluctantly filed by nullvariant-slow[bot] |
🐰 Mimi's Validation Report ✅All checks are looking good! Great job! 🎉 ⏳ Some checks are still running. I will keep watching!
This report was carefully prepared by nullvariant-mimi[bot] |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
🕊️ Ciel's Mediation ☀️*~~ gliding on a gentle breeze ~~ How serene!* 2 zoo members have reviewed this PR.
☀️ The zoo is in harmony. Everything looks peaceful from up here.
This mediation was peacefully delivered by nullvariant-ciel[bot] |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
- Update RELEASE_PAT expiration to 2026-07-15 (rotated) - Add Token Details entries for RELEASE_PAT and SCM_TOKEN with their GitHub token names, consistent with CLOUDFLARE_API_TOKEN format Signed-off-by: Null;Variant <null@nullvariant.com> 🖥️ IDE: [VS Code](https://code.visualstudio.com/) 🔌 Extension: [Claude Code](https://claude.ai/download) Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Model-Raw: claude-opus-4-6
|



Summary
security.yml— weekly repository-configuration audit running on the existing daily schedule (skipped on PRs)Legit-Labs/legitify@002049404ef93b207048323fe996eb2330327031(v1.0.11)analyze_self_only: true) with a read-only fine-grained PATWhat changed
.github/workflows/security.yml: newlegitify-analyzejob. No checkout step — Legitify queries the GitHub API directly; the composite action only checks out its own source whencompile_legitify=true(not used here)SECURITY.md: document underCI/CD Security; registerSCM_TOKENin Repository Secrets, Provider Links, and Token DetailsGOVERNANCE.md: addSCM Posture Auditas a sekimori-ishi immediately afterBranch ProtectionRationale
The existing badge collection covers code/dependency-level posture (CodeQL, Semgrep, Scorecard, Snyk, FOSSA). Legitify covers repository-configuration-level posture — branch protection settings, actions settings, webhook hygiene — which is otherwise unaudited. Keeping this in
security.yml(rather than a standalone workflow) preserves a single source of truth for security checks.Pre-merge owner actions
SCM_TOKEN(Fine-grained PAT): scope this repository only; permissions: Metadata (R), Contents (R), Administration (R); expires 2026-07-15SCM_TOKENin repository secretsTest plan
workflow_dispatchmanually and verify the job succeedsmissing permissionwarnings from LegitifySecurity considerations
permissions: {}preserved; job-level permissions limited tocontents: read+security-events: writeSCM_TOKENis skipped on pull requests (if: github.event_name != 'pull_request') to prevent exposure in untrusted PR contextsegress-policy: auditmatches existingsecurity.ymljobs; migration toblockis tracked as a follow-up