Skip to content

feat(security): add Legitify SCM posture audit#472

Merged
nullvariant merged 2 commits into
mainfrom
feat/legitify-scm-posture-audit
Apr 16, 2026
Merged

feat(security): add Legitify SCM posture audit#472
nullvariant merged 2 commits into
mainfrom
feat/legitify-scm-posture-audit

Conversation

@nullvariant

Copy link
Copy Markdown
Owner

Summary

  • Add Legitify SCM posture audit as a new job in security.yml — weekly repository-configuration audit running on the existing daily schedule (skipped on PRs)
  • Pin to Legit-Labs/legitify@002049404ef93b207048323fe996eb2330327031 (v1.0.11)
  • Publish findings to the GitHub Security tab via SARIF upload
  • Scope limited to this repository (analyze_self_only: true) with a read-only fine-grained PAT

What changed

  • .github/workflows/security.yml: new legitify-analyze job. No checkout step — Legitify queries the GitHub API directly; the composite action only checks out its own source when compile_legitify=true (not used here)
  • SECURITY.md: document under CI/CD Security; register SCM_TOKEN in Repository Secrets, Provider Links, and Token Details
  • GOVERNANCE.md: add SCM Posture Audit as a sekimori-ishi immediately after Branch Protection

Rationale

The existing badge collection covers code/dependency-level posture (CodeQL, Semgrep, Scorecard, Snyk, FOSSA). Legitify covers repository-configuration-level posture — branch protection settings, actions settings, webhook hygiene — which is otherwise unaudited. Keeping this in security.yml (rather than a standalone workflow) preserves a single source of truth for security checks.

Pre-merge owner actions

  • Create SCM_TOKEN (Fine-grained PAT): scope this repository only; permissions: Metadata (R), Contents (R), Administration (R); expires 2026-07-15
  • Register SCM_TOKEN in repository secrets

Test plan

  • After merge, trigger workflow_dispatch manually and verify the job succeeds
  • Check Actions logs for missing permission warnings from Legitify
  • Verify findings appear in GitHub Security → Code Scanning Alerts
  • Observe 2–3 runs to assess whether the badge stays green even when posture violations are detected

Security considerations

  • Top-level permissions: {} preserved; job-level permissions limited to contents: read + security-events: write
  • SCM_TOKEN is skipped on pull requests (if: github.event_name != 'pull_request') to prevent exposure in untrusted PR contexts
  • Harden-Runner egress-policy: audit matches existing security.yml jobs; migration to block is tracked as a follow-up

Integrate weekly SCM posture audit via Legit-Labs/legitify v1.0.11
(SHA-pinned) as a new job in security.yml. Findings publish to the
GitHub Security tab via SARIF upload. Scope is limited to this
repository (analyze_self_only: true) with a read-only fine-grained PAT.

- security.yml: legitify-analyze job (PR skip, no checkout, SARIF upload)
- SECURITY.md: document under CI/CD Security, register SCM_TOKEN secret
- GOVERNANCE.md: add as a sekimori-ishi after Branch Protection

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
@nullvariant-slow

nullvariant-slow Bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

🦥 Slow's Code Review 😩

...yawn... Do I really have to review this?

⚠️ TOO LONG... I can barely keep my eyes open reading these:

File Lines

| extensions/git-id-switcher/src/ui/documentationInternal.ts | 505 |

Split it up... reading long files is exhausting.


働きたくないでござる

This review was reluctantly filed by nullvariant-slow[bot]

@nullvariant-mimi

nullvariant-mimi Bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

🐰 Mimi's Validation Report ✅

All checks are looking good! Great job! 🎉

⏳ Some checks are still running. I will keep watching!


バリデーターを通してくださいね

This report was carefully prepared by nullvariant-mimi[bot]

@github-actions

github-actions Bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/Legit-Labs/legitify 002049404ef93b207048323fe996eb2330327031 🟢 4.2
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Security-Policy🟢 10security policy file detected
Dangerous-Workflow⚠️ 0dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
Packaging⚠️ -1packaging workflow not detected
License🟢 10license file detected
Pinned-Dependencies🟢 7dependency not pinned by hash detected -- score normalized to 7
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
Signed-Releases⚠️ 21 out of the last 5 releases have a total of 1 signed artifacts.
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • .github/workflows/security.yml

@nullvariant-ciel

nullvariant-ciel Bot commented Apr 16, 2026

Copy link
Copy Markdown
Contributor

🕊️ Ciel's Mediation ☀️

*~~ gliding on a gentle breeze ~~ How serene!*

2 zoo members have reviewed this PR.

Zoo Member Status
🦥 Slow Commented
🐰 Mimi Commented

☀️ The zoo is in harmony. Everything looks peaceful from up here.


まあまあ、ほどほどに。

This mediation was peacefully delivered by nullvariant-ciel[bot]

@codecov

codecov Bot commented Apr 16, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

nullvariant-justice[bot]
nullvariant-justice Bot previously approved these changes Apr 16, 2026

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

- Update RELEASE_PAT expiration to 2026-07-15 (rotated)
- Add Token Details entries for RELEASE_PAT and SCM_TOKEN with their
  GitHub token names, consistent with CLOUDFLARE_API_TOKEN format

Signed-off-by: Null;Variant <null@nullvariant.com>

🖥️ IDE: [VS Code](https://code.visualstudio.com/)
🔌 Extension: [Claude Code](https://claude.ai/download)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Model-Raw: claude-opus-4-6
@sonarqubecloud

Copy link
Copy Markdown

@nullvariant-justice nullvariant-justice Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚖️ Justice grants passage. CI checks passed — this code meets the garden's standards.

@nullvariant nullvariant merged commit d9cf999 into main Apr 16, 2026
35 of 37 checks passed
@nullvariant nullvariant deleted the feat/legitify-scm-posture-audit branch April 16, 2026 06:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant