From 14d8eaa21367f903ea5c6ebb4179620ad2003c25 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 13 Jun 2026 22:02:05 +0100 Subject: [PATCH 1/4] fix(assail): UnboundedAllocation is Medium, not Critical Heuristic keyword match at ~70% of all estate Criticals (2026-06-11 estate-loop audit), drowning confirmed findings. Medium reflects actual confirmation strength. Hypatia's ingest already applies the same cap for scans from older binaries; this aligns the source. Co-Authored-By: Claude Sonnet 4.6 --- src/assail/analyzer.rs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/assail/analyzer.rs b/src/assail/analyzer.rs index 6c49861..ef6bd70 100644 --- a/src/assail/analyzer.rs +++ b/src/assail/analyzer.rs @@ -1043,7 +1043,13 @@ impl Analyzer { line: None, category: WeakPointCategory::UnboundedAllocation, location: Some(file_path.to_string()), - severity: Severity::Critical, + // Heuristic keyword match ("potential pattern"), not a + // confirmed vulnerability: at Critical this one matcher was + // ~70% of all estate Criticals (2026-06-11 estate-loop + // audit), drowning confirmed findings. Medium reflects its + // confirmation strength; hypatia's ingest applies the same + // cap for scans produced by older binaries. + severity: Severity::Medium, description: format!( "Potential unbounded allocation pattern detected in {}", file_path From fc32a1cf6383b4536d4eb294e1b0532fee9cd935 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sun, 21 Jun 2026 00:56:29 +0100 Subject: [PATCH 2/4] ci: adopt standards reusable workflows for Scorecard, Hypatia, and Governance --- .github/workflows/governance.yml | 24 +------ .github/workflows/hypatia-scan.yml | 18 ++--- .github/workflows/scorecard-enforcer.yml | 83 ------------------------ .github/workflows/scorecard.yml | 23 +++---- 4 files changed, 17 insertions(+), 131 deletions(-) delete mode 100644 .github/workflows/scorecard-enforcer.yml diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 653ef98..2674263 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -1,34 +1,16 @@ -# SPDX-License-Identifier: MPL-2.0 -# governance.yml — single wrapper calling the shared estate governance bundle -# in hyperpolymath/standards instead of carrying per-repo copies. -# -# Replaces the per-repo governance scaffolding removed in the same commit: -# quality.yml, guix-nix-policy.yml, npm-bun-blocker.yml, ts-blocker.yml, -# security-policy.yml, rsr-antipattern.yml, wellknown-enforcement.yml, -# workflow-linter.yml -# -# Load-bearing build/security workflows stay standalone in the repo -# (rust-ci, codeql, dependabot, release, scan/mirror/pages plumbing). - +# SPDX-License-Identifier: PMPL-1.0-or-later name: Governance on: push: branches: [main, master] pull_request: + branches: [main, master] workflow_dispatch: -# Estate guardrail: cancel superseded runs so re-pushes / rebased PR -# updates do not pile up queued runs against the shared account-wide -# Actions concurrency pool. Applied only to read-only check workflows -# (no publish/mutation), so cancelling a superseded run is always safe. -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - permissions: contents: read jobs: governance: - uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@main + uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@b89b2ef1e98928fce53a85e83c37f23a1d99f6d3 diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index bf6304a..736b63f 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -1,7 +1,4 @@ -# SPDX-License-Identifier: MPL-2.0 -# Thin wrapper around hyperpolymath/standards hypatia-scan-reusable.yml. -# See standards#191 for the reusable's purpose and design. - +# SPDX-License-Identifier: PMPL-1.0-or-later name: Hypatia Security Scan on: @@ -13,17 +10,10 @@ on: - cron: '0 0 * * 0' workflow_dispatch: -# Estate guardrail: cancel superseded runs so re-pushes don't pile up. -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - permissions: contents: read - security-events: write - pull-requests: write + security-events: read jobs: - hypatia: - uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@5eb28d7d8790d5389b7b6a5233fe6265a775e3d0 - secrets: inherit + scan: + uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@b89b2ef1e98928fce53a85e83c37f23a1d99f6d3 diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml deleted file mode 100644 index c37d76c..0000000 --- a/.github/workflows/scorecard-enforcer.yml +++ /dev/null @@ -1,83 +0,0 @@ -# SPDX-License-Identifier: MPL-2.0 -# Prevention workflow - runs OpenSSF Scorecard and fails on low scores -name: OpenSSF Scorecard Enforcer - -on: - push: - branches: [main] - schedule: - - cron: '0 6 * * 1' # Weekly on Monday - workflow_dispatch: - -# Estate guardrail: cancel superseded runs so re-pushes / rebased PR -# updates do not pile up queued runs against the shared account-wide -# Actions concurrency pool. Applied only to read-only check workflows -# (no publish/mutation), so cancelling a superseded run is always safe. -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -permissions: - contents: read - -jobs: - scorecard: - runs-on: ubuntu-latest - timeout-minutes: 20 - permissions: - security-events: write - id-token: write # For OIDC - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Run Scorecard - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 - with: - results_file: results.sarif - results_format: sarif - publish_results: true - - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@c6f931105cb2c34c8f901cc885ba1e2e259cf745 # v4 - with: - sarif_file: results.sarif - - - name: Check minimum score - run: | - # Parse score from results - SCORE=$(jq -r '.runs[0].tool.driver.properties.score // 0' results.sarif 2>/dev/null || echo "0") - - echo "OpenSSF Scorecard Score: $SCORE" - - # Minimum acceptable score (0-10 scale) - MIN_SCORE=5 - - if [ "$(echo "$SCORE < $MIN_SCORE" | bc -l)" = "1" ]; then - echo "::error::Scorecard score $SCORE is below minimum $MIN_SCORE" - exit 1 - fi - - # Check specific high-priority items - check-critical: - runs-on: ubuntu-latest - timeout-minutes: 10 - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - - name: Check SECURITY.md exists - run: | - if [ ! -f "SECURITY.md" ]; then - echo "::error::SECURITY.md is required" - exit 1 - fi - - - name: Check for pinned dependencies - run: | - # Check workflows for unpinned actions - unpinned=$(grep -r "uses:.*@v[0-9]" .github/workflows/*.yml 2>/dev/null | grep -v "#" | head -5 || true) - if [ -n "$unpinned" ]; then - echo "::warning::Found unpinned actions:" - echo "$unpinned" - fi diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3f73a64..0c31a3e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,19 +1,16 @@ -# SPDX-License-Identifier: MPL-2.0 -name: Scorecards supply-chain security +# SPDX-License-Identifier: PMPL-1.0-or-later +name: OSSF Scorecard on: - branch_protection_rule: - schedule: - - cron: '23 4 * * 1' push: - branches: [main] + branches: [main, master] + schedule: + - cron: '0 4 * * *' + workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: - analysis: - permissions: - security-events: write - id-token: write - uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@e0caf11508a3989574713c78f5f444f2ce5e33ef - secrets: inherit + scorecard: + uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@b89b2ef1e98928fce53a85e83c37f23a1d99f6d3 From 6ec87583135da443974de5f403e9cf0ffdd81328 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sun, 21 Jun 2026 01:15:41 +0100 Subject: [PATCH 3/4] ci: adopt standards reusable workflows for Scorecard, Hypatia, and Governance --- .github/workflows/governance.yml | 2 +- .github/workflows/hypatia-scan.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 2674263..31d497f 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -13,4 +13,4 @@ permissions: jobs: governance: - uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@b89b2ef1e98928fce53a85e83c37f23a1d99f6d3 + uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@5a93d9da1bbf6ca9eb4eec89e900c733f114c995 diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index 736b63f..ce9ce4c 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -16,4 +16,4 @@ permissions: jobs: scan: - uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@b89b2ef1e98928fce53a85e83c37f23a1d99f6d3 + uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@5a93d9da1bbf6ca9eb4eec89e900c733f114c995 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0c31a3e..987033d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -13,4 +13,4 @@ permissions: jobs: scorecard: - uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@b89b2ef1e98928fce53a85e83c37f23a1d99f6d3 + uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@5a93d9da1bbf6ca9eb4eec89e900c733f114c995 From aa88e02d714edc22fc4c140e264c8925b8960d40 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sun, 21 Jun 2026 01:20:29 +0100 Subject: [PATCH 4/4] ci: adopt standards reusable workflows for Scorecard, Hypatia, and Governance --- .github/workflows/governance.yml | 2 +- .github/workflows/hypatia-scan.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/governance.yml b/.github/workflows/governance.yml index 31d497f..8161ec2 100644 --- a/.github/workflows/governance.yml +++ b/.github/workflows/governance.yml @@ -13,4 +13,4 @@ permissions: jobs: governance: - uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@5a93d9da1bbf6ca9eb4eec89e900c733f114c995 + uses: hyperpolymath/standards/.github/workflows/governance-reusable.yml@5a93d9d57cc04de4002d6d0ecd336fc7a8698910 diff --git a/.github/workflows/hypatia-scan.yml b/.github/workflows/hypatia-scan.yml index ce9ce4c..e715848 100644 --- a/.github/workflows/hypatia-scan.yml +++ b/.github/workflows/hypatia-scan.yml @@ -16,4 +16,4 @@ permissions: jobs: scan: - uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@5a93d9da1bbf6ca9eb4eec89e900c733f114c995 + uses: hyperpolymath/standards/.github/workflows/hypatia-scan-reusable.yml@5a93d9d57cc04de4002d6d0ecd336fc7a8698910 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 987033d..47acbb5 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -13,4 +13,4 @@ permissions: jobs: scorecard: - uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@5a93d9da1bbf6ca9eb4eec89e900c733f114c995 + uses: hyperpolymath/standards/.github/workflows/scorecard-reusable.yml@5a93d9d57cc04de4002d6d0ecd336fc7a8698910