| title | Gates reference |
|---|---|
| diataxis_type | reference |
Every gate is a thin, SHA-pinned caller of a central
modeled-information-format/.github reusable workflow. The scanning gates normalize on
SARIF and surface in the repository Security tab; the "Code scanning results"
check is the actual merge gate, so those gates soft-fail (report findings, do
not fail their own job). A few gates hard-fail by design — they block
directly.
Every gate is risk-reducing, not risk-eliminating. A scanner reports the classes of problem it knows about; passing a gate is not a proof of safety.
| Gate | Tool | Reusable | Fail mode | Release predicate |
|---|---|---|---|---|
| SAST | CodeQL (languages: actions) |
reusable-sast-codeql.yml |
soft (Security tab) | sast/v1 |
| SCA | OSV-Scanner + dependency review | reusable-sca-osv.yml |
soft (Security tab) | sca/v1 |
| License / misconfig | Trivy | reusable-trivy.yml |
soft (Security tab) | iac-license/v1 |
| ShellCheck | ShellCheck | reusable-shellcheck.yml |
soft (Security tab) | shellcheck/v1 |
| Semgrep | Semgrep | reusable-semgrep.yml |
soft (Security tab) | semgrep/v1 |
| Secrets | Gitleaks + TruffleHog | reusable-secrets.yml |
hard — TruffleHog hard-fails on verified live secrets | secrets/v1 |
| Manifest review | manifest-review | reusable-manifest-review.yml |
hard | manifest/v1 |
| Scorecard | OpenSSF Scorecard | reusable-scorecard.yml |
soft (Security tab) | — (repo-level signal, not an artifact verdict) |
| pin-check | (assert every uses: is a 40-char SHA) |
pin-check.yml |
hard (required check) | — |
| Manifest validation | claude plugin validate |
inline (canonical) | hard | — |
- SAST (CodeQL). This repo's own GitHub Actions workflow YAML, not the plugin payloads — see the CodeQL note below.
- SCA (OSV). Dependencies of bundled MCP servers.
- License / misconfig (Trivy). The repo and its bundled assets for license and misconfiguration findings.
- ShellCheck. Hook scripts (e.g.
plugins/*/hooks/*.sh). - Semgrep. MCP-server and other source for code-pattern findings.
- Secrets. Repo history and working tree. TruffleHog hard-fails when it verifies a live secret — a verified credential blocks, it does not merely report.
- Manifest review.
marketplace.jsonand the plugin manifests, asserting the marketplace-integrity invariants: every external plugin source is SHA-pinned, the marketplacenameis not a reserved name, and required fields are present. - Scorecard. Repo-level supply-chain posture; informational, not an artifact verdict.
claude plugin validate. The canonical structural check of the catalog and plugin manifests.
CodeQL has no HCL or plugin extractor. CodeQL works by extracting a queryable database from source in a language it understands; there is no extractor for plugin manifests, hooks, or skills. So the SAST gate is configured
languages: actions— it analyzes this repo's own workflow YAML, which is a supported CodeQL target and a real supply-chain attack surface. Plugin shell, source, and manifests are covered instead by ShellCheck, Semgrep, secret scanning, and manifest-review. "SAST is green" must not be misread as "the plugin payload was statically analyzed by CodeQL" — it was not.
At release, each artifact-characterizing gate verdict is turned into a signed, digest-bound attestation, then re-checked fail-closed before publish.
| Produces | Signer | Predicate |
|---|---|---|
| SLSA build provenance (per plugin tarball) | this repo's release workflow (actions/attest-build-provenance) |
https://slsa.dev/provenance/v1 |
| CycloneDX SBOM (per plugin tarball) | this repo's release workflow (Syft + actions/attest-sbom) |
https://cyclonedx.org/bom |
| SAST verdict | seam (reusable-attest-scan.yml) |
.../attestations/sast/v1 |
| SCA verdict | seam | .../attestations/sca/v1 |
| License / misconfig verdict | seam | .../attestations/iac-license/v1 |
| ShellCheck verdict | seam | .../attestations/shellcheck/v1 |
| Semgrep verdict | seam | .../attestations/semgrep/v1 |
| Secrets verdict | seam | .../attestations/secrets/v1 |
| Manifest-review verdict | seam | .../attestations/manifest/v1 |
marketplace.json catalog signature |
this repo's signing workflow (cosign keyless) | — (cosign blob bundle, not an in-toto predicate) |
The custom-predicate namespace is
https://modeled-information-format.github.io/attestations/<gate>/v1.
Signed ≠ passed. A verified attestation proves a gate ran and recorded a verdict bound to the artifact digest. The verdict itself is in the predicate body.
The five plugin-specific gate reusables — reusable-shellcheck.yml,
reusable-semgrep.yml, reusable-secrets.yml, reusable-manifest-review.yml,
and the cosign-sign reusable — are proposed in
modeled-information-format/.github#12
and not yet merged. Their callers are pinned to the PR branch commit
d4467d5 until #12 merges, then re-pinned to the merged main SHA.
Dependabot's github-actions updater keeps the pins fresh.