You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This adds the self-contained org security scanner as .github/workflows/security.yml.
Advisory only — this does not block merges. On each PR it:
runs OSV-Scanner on dependencies,
runs a Claude (Bedrock) review across four phases (pr-review, architecture, taint, deps),
posts a sticky Security Scanner Results comment with findings.
The in-job Security Gate ships disabled (BLOCK_ON_SEVERITY: none). To enforce later, set BLOCK_ON_SEVERITY: critical in the workflow and add the AI security scan (phases 1-4) check to
this repo's branch protection.
Bedrock auth is via GitHub OIDC (no secrets). Optional org secrets: SCANNER_STATS_URL / SCANNER_STATS_TOKEN (monitoring), SOCKET_API_TOKEN (Socket MCP).
Scope: this PR adds only a new CI workflow (.github/workflows/security.yml). No application code or dependency manifests changed, so no product-code vulnerabilities are introduced and no dependencies are made newly reachable. Phases run: pr-review, architecture, taint, deps.
Severity
Code findings
🔴 Critical
0
🟠 High
0
🟡 Medium
0
🔵 Low
3
⚪ Info
2
Findings
⚪ PR adds only a CI workflow; no application code or dependency changes — .github/workflows/security.yml:1
🔵 Scanner agent is allowed Bash(gh api:*), enabling arbitrary authenticated GitHub API calls — .github/workflows/security.yml:197
🔵 OSV-Scanner binary fetched from latest release and executed without pinning or checksum — .github/workflows/security.yml:38
⚪ 94 OSV-flagged transitive packages are pre-existing, not introduced by this PR — .security-scan/osv-results.json:1
Dependencies
OSV reports 94 vulnerable transitive packages (14 critical, 40 high, 32 medium, 8 low) from an older CRA/webpack-era tree. This PR changes no manifest or lockfile, so all are pre-existing — recorded as INFO / not reachable via this change, action INFO, none BLOCK. Socket depscore enrichment was unavailable (the Socket MCP requires interactive OAuth, absent in this headless run). Recommend a separate dependency-upgrade effort.
No critical findings — no inline comments posted. Advisory only; the Security gate owns the verdict.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add bookmd security scanner (advisory)
This adds the self-contained org security scanner as
.github/workflows/security.yml.Advisory only — this does not block merges. On each PR it:
The in-job Security Gate ships disabled (
BLOCK_ON_SEVERITY: none). To enforce later, setBLOCK_ON_SEVERITY: criticalin the workflow and add the AI security scan (phases 1-4) check tothis repo's branch protection.
Bedrock auth is via GitHub OIDC (no secrets). Optional org secrets:
SCANNER_STATS_URL/SCANNER_STATS_TOKEN(monitoring),SOCKET_API_TOKEN(Socket MCP).🤖 Generated with Claude Code