chore(security): standardize SDLC security baseline#21
Conversation
Align repo with the standardized security baseline across all public projects: - Add Dependency Review (PR gate blocking known-vulnerable deps). - Add OpenSSF Scorecard (supply-chain posture, reports to Security tab). - Add Bandit Python SAST (Python repos only; replaces OSSAR coverage). - Dependabot: add github-actions ecosystem + grouped updates. - Remove redundant/dead workflows (OSSAR, disabled advanced CodeQL, gitleaks/npm-audit) now covered by CodeQL default setup, native secret scanning + push protection, and Dependabot. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Code Review
This pull request updates the Dependabot configuration in .github/dependabot.yml to group Python dependencies and add tracking for GitHub Actions updates. The reviewer correctly pointed out that since the project uses Poetry, the package ecosystem should be configured as poetry instead of pip to ensure Dependabot can properly parse and update the dependencies and lockfile.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| # - pip ecosystem covers Poetry (pyproject.toml / poetry.lock). | ||
| # - github-actions keeps workflow action versions current (supply-chain hardening). | ||
| # Updates are grouped to minimize PR noise. | ||
| version: 2 | ||
| updates: | ||
| - package-ecosystem: "pip" # See documentation for possible values | ||
| directory: "/" # Location of package manifests | ||
| - package-ecosystem: "pip" |
There was a problem hiding this comment.
Dependabot has a dedicated package ecosystem for Poetry. Since this project uses Poetry (pyproject.toml and poetry.lock), you should use poetry instead of pip as the package ecosystem. This ensures Dependabot can correctly parse and update your Poetry dependencies and lockfile.
# - poetry ecosystem covers Poetry (pyproject.toml / poetry.lock).
# - github-actions keeps workflow action versions current (supply-chain hardening).
# Updates are grouped to minimize PR noise.
version: 2
updates:
- package-ecosystem: "poetry"
|
PR Summary by QodoStandardize SDLC security baseline with GitHub-native security workflows
AI Description
Diagram
High-Level Assessment
Files changed (4)
|
Code Review by Qodo
1. Scorecard checkout permission missing
|
| permissions: | ||
| # Needed to upload the results to code-scanning dashboard. | ||
| security-events: write | ||
| # Needed to publish results and get a badge. | ||
| id-token: write |
There was a problem hiding this comment.
1. Scorecard checkout permission missing 🐞 Bug ☼ Reliability
In .github/workflows/scorecard.yml and .github/workflows/bandit.yml, the analysis and bandit jobs set job-level permissions without contents: read, which can prevent actions/checkout from fetching the repository and stop Scorecard/Bandit from running. This occurs because job-level permissions override the workflow-level defaults (including read-all / contents: read).
Agent Prompt
## Issue description
The `analysis` job in the Scorecard workflow and the `bandit` job in the Bandit workflow define job-level permissions but omit `contents: read`, which can prevent `actions/checkout` from accessing the repository and cause the jobs to fail.
## Issue Context
Both workflows set permissive workflow-level defaults (`read-all` or explicit `contents: read`), but job-level `permissions` blocks override those defaults; since the jobs still run `actions/checkout@v4`, they need `contents: read` explicitly when job-level permissions are used.
## Fix Focus Areas
- .github/workflows/scorecard.yml[13-28]
- .github/workflows/bandit.yml[15-26]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools




Standardizes this repo against the security baseline shared across all public projects.
Added
github-actionsecosystem + grouped weekly updates.Removed
.github/workflows/ossar.ymlThese were redundant with CodeQL default setup (live), native secret scanning + push protection, and Dependabot — all enabled at the repo level.
Coverage after this PR
🤖 Generated with Claude Code