Skip to content
Hypatia Self-Scan

feat(innervation): Phase 2 — specs, tools, and docs #3

Sign in to view logs

feat(innervation): Phase 2 — specs, tools, and docs

feat(innervation): Phase 2 — specs, tools, and docs #3

Workflow file for this run

.github/workflows/hypatia-scan.yml at cbeab89
# SPDX-License-Identifier: PMPL-1.0-or-later
# Hypatia Neurosymbolic CI/CD Security Scan — SELF-SCAN (dogfooding)
# The standards repo that defines Hypatia scans itself with Hypatia.
name: Hypatia Self-Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0' # Weekly on Sunday
workflow_dispatch:
permissions: read-all
jobs:
scan:
name: Hypatia Neurosymbolic Analysis (Dogfooding)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- name: Setup Elixir for Hypatia scanner
uses: erlef/setup-beam@2f0cc07b4b9bea248ae098aba9e1a8a1de5ec24c # v1.18.2
with:
elixir-version: '1.19.4'
otp-version: '28.3'
- name: Clone Hypatia
run: |
git clone --depth 1 https://github.com/hyperpolymath/hypatia.git "$HOME/hypatia"
- name: Build Hypatia scanner
working-directory: ${{ env.HOME }}/hypatia
run: |
if [ ! -f hypatia-v2 ]; then
cd scanner && mix deps.get && mix escript.build && mv hypatia ../hypatia-v2
fi
- name: Run Hypatia scan
id: scan
run: |
echo "Scanning standards repo (dogfooding)"
HYPATIA_FORMAT=json "$HOME/hypatia/hypatia-cli.sh" scan . > hypatia-findings.json
FINDING_COUNT=$(jq '. | length' hypatia-findings.json 2>/dev/null || echo 0)
CRITICAL=$(jq '[.[] | select(.severity == "critical")] | length' hypatia-findings.json 2>/dev/null || echo 0)
HIGH=$(jq '[.[] | select(.severity == "high")] | length' hypatia-findings.json 2>/dev/null || echo 0)
MEDIUM=$(jq '[.[] | select(.severity == "medium")] | length' hypatia-findings.json 2>/dev/null || echo 0)
echo "findings_count=$FINDING_COUNT" >> $GITHUB_OUTPUT
echo "critical=$CRITICAL" >> $GITHUB_OUTPUT
echo "high=$HIGH" >> $GITHUB_OUTPUT
echo "medium=$MEDIUM" >> $GITHUB_OUTPUT
echo "## Hypatia Self-Scan Results (Dogfooding)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "The standards repo scans itself. Findings here are compliance" >> $GITHUB_STEP_SUMMARY
echo "gaps between what we define and what we practice." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
echo "| Critical | $CRITICAL |" >> $GITHUB_STEP_SUMMARY
echo "| High | $HIGH |" >> $GITHUB_STEP_SUMMARY
echo "| Medium | $MEDIUM |" >> $GITHUB_STEP_SUMMARY
echo "| **Total**| $FINDING_COUNT |" >> $GITHUB_STEP_SUMMARY
- name: Run panic-attack assail
run: |
# Install panic-attack if available
if command -v panic-attack >/dev/null 2>&1; then
panic-attack assail . > panic-attack-findings.json 2>&1 || true
echo "panic-attack scan complete"
else
echo "panic-attack not available in CI — install from hyperpolymath/panic-attacker"
echo "[]" > panic-attack-findings.json
fi
- name: Upload findings artifacts
uses: actions/upload-artifact@65c79d7f54e76e4e3c7a8f34db0f4ac8b515c478 # v4
with:
name: standards-self-scan
path: |
hypatia-findings.json
panic-attack-findings.json
retention-days: 90
- name: Check for critical issues
if: steps.scan.outputs.critical > 0
run: |
echo "Critical self-scan issues found in the standards repo!"
echo "The repo that defines standards has compliance gaps."
echo "Review hypatia-findings.json for details."
# Warn but don't fail — fix forward