security: scorecard sweep — fix #182/#173, dismiss #8/#175/#179/#180/#181#67
Merged
Conversation
killertcell428
changed the title
…173 fuzz base image, document #8/#179/#180/#181/#175 acceptance Code Scanning sweep (2026-05-19): Fixes: - .github/workflows/paper-review.yml: move contents/issues/pull-requests write from top-level to job-level; top-level becomes contents:read (#182). - .clusterfuzzlite/Dockerfile: pin gcr.io/oss-fuzz-base/base-builder-python by sha256:e24e8e50... matching the digest-pin convention used in the main Dockerfile (#173). Governance documentation (docs/scorecard-governance-setup.html): - §1: document current branch-protection state and dismiss rationale for #8 (solo-dev: required_approving_review_count=0 is intentional). - §6.1 (new): acceptance policy for job-level contents:write — applies to #179 (release.yml), #180 (sync-zenn-qiita.yml), #181 (zenn-deploy-trigger.yml). Top-level contents:read remains mandatory. - §6.2 (new): acceptance policy for local-source pip install — applies to #175 (.clusterfuzzlite/build.sh). - §6.3: #174 (Dockerfile pip hash-pin) explicitly deferred. Audit report: - docs/scorecard-alerts-2026-05-19.html: per-alert triage with risk assessment, proposed fix, and dismiss rationale. Already dismissed via Code Scanning API: #8, #175, #179, #180, #181. #182 and #173 will close automatically on next Scorecard run. Deferred: #174 (hash-pin trade-off), #57 (OpenSSF badge). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: killertcell428 <killertcell428@gmail.com>
Signed-off-by: killertcell428 <killertcell428@gmail.com>
killertcell428
force-pushed
the
claude/strange-kilby-0ebba9
branch
from
aafdb42 to
7d993af
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OpenSSF Scorecard が検出した Code Scanning アラート 9 件 (High 5 / Medium 3 / Low 1) のうち、修正必須 2 件をコード変更で fix、受容判断 4 件をガバナンス文書に明文化+ Code Scanning API で dismiss 済。
paper-review.ymlの write 権限を job-level へ.clusterfuzzlite/Dockerfileの base image を sha256 digest pinrequired_approving_review_count=0は意図設定 (§1)release.ymlのgithub-releasejob — top-level read + job-level write は正しい構成 (§6.1)sync-zenn-qiita.ymlも同様 (§6.1)zenn-deploy-trigger.ymlも同様 (§6.1)pip install .はローカルソースで攻撃面なし (§6.2)判断保留: #174 (Dockerfile の pip hash-pin: 運用コスト要検討) / #57 (OpenSSF Best Practices badge: 低優先)。
Changes
.github/workflows/paper-review.yml— top-level をcontents: readに、contents/issues/pull-requests: writeを job-level へ移動.clusterfuzzlite/Dockerfile—FROM gcr.io/oss-fuzz-base/base-builder-python@sha256:e24e8e50612617101dd10038502f68268ab45f31d79a3722c230464277a951b3docs/scorecard-governance-setup.html— §1 に現状+ dismiss 文言テンプレ、§6.1/§6.2/§6.3 を新設docs/scorecard-alerts-2026-05-19.html— 9件の精査レポート(新規)Type of change
Test plan
gh workflow run scorecard.ymlpaper-review.ymlの bot PR 作成が引き続き成功すること(job-level permissions で動作確認)Already dismissed via Code Scanning API
5b3879bto1697e8e#8 / #175 / #179 / #180 / #181 (本 PR マージ前に dismiss 完了)🤖 Generated with Claude Code