Skip to content

ci: harden security-scanning workflows (Scorecard code-scanning alerts)#259

Open
seonghobae wants to merge 2 commits into
developfrom
fix/code-scanning-alerts
Open

ci: harden security-scanning workflows (Scorecard code-scanning alerts)#259
seonghobae wants to merge 2 commits into
developfrom
fix/code-scanning-alerts

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

Remediates the OPEN Scorecard code-scanning alerts that point at workflow files in this repo by applying the secure fix directly. The repo already SHA-pins its other actions and uses least-privilege tokens elsewhere — these were the remaining gaps. No runtime/Python code changed; workflow behaviour is unchanged.

Alerts fixed in code (auto-close on next Scorecard scan of develop)

Token-Permissions (least-privilege GITHUB_TOKEN)

Pinned-Dependencies (pin actions by commit SHA)

Not addressed here (org/admin policy, not code — central config/tooling)

These Scorecard findings are repository/organization settings or opinionated policy and cannot be fixed by a code change in this repo:

None are false positives, so none were dismissed.

🤖 Generated with Claude Code

Seongho Bae and others added 2 commits July 9, 2026 01:28
…pinned actions)

Resolves the OPEN Scorecard code-scanning alerts that point at workflow
files by applying the secure fix directly (repo already SHA-pins other
actions; these were the gaps).

Token-Permissions (least-privilege GITHUB_TOKEN):
- Alert #5  security-process.yml: drop top-level `security-events: write`
  and `actions: read`; grant `security-events: write`/`actions: read`
  only on the trivy-fs job that uploads SARIF. appguardrail-scan keeps
  `contents: read`.
- Alerts #3, #4  prepare-pypi-release.yml: top-level token reduced to
  `contents: read`; `actions: write`/`contents: write`/`pull-requests:
  write` moved to the single prepare-release job (all are required by
  its dispatch/commit/PR steps).

Pinned-Dependencies (pin actions by commit SHA):
- Alert #7  security-process.yml: aquasecurity/trivy-action v0.36.0
  -> ed142fd0673e97e23eac54620cfb913e5ce36c25
- Alert #8  security-process.yml: github/codeql-action/upload-sarif v4
  -> 99df26d4f13ea111d4ec1a7dddef6063f76b97e9 (v4.37.0)
- Alert #6  org-security-failure-collector.yml:
  actions/create-github-app-token v3
  -> bcd2ba49218906704ab6c1aa796996da409d3eb1 (v3.2.0)

These alerts auto-close on the next Scorecard run against develop.
No runtime/Python code changed; workflow behaviour is unchanged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant