Skip to content

fix(security): resolve Scorecard quality and supply-chain alerts#51

Merged
SafetyMP merged 1 commit into
mainfrom
fix/scorecard-quality-security
Jul 12, 2026
Merged

fix(security): resolve Scorecard quality and supply-chain alerts#51
SafetyMP merged 1 commit into
mainfrom
fix/scorecard-quality-security

Conversation

@SafetyMP

Copy link
Copy Markdown
Owner

Summary

  • Pin remaining unpinned GitHub Actions (docs-link-check, cd-promote, CodeQL, docker-publish, scorecard upload-sarif) and the Dockerfile node:22-bookworm-slim base image digest
  • Scope workflow write permissions to jobs (release.yml, docker-publish.yml) to satisfy Scorecard TokenPermissions checks
  • Remove tracked .cursor/hooks/__pycache__ bytecode and add gitignore rules
  • Apply safe npm audit fix + postcss override to reduce open dependency vulnerability findings

Context

Addresses the remaining 26 open Scorecard alerts on main (down from the original 39 / portfolio-tracked 37 fixable supply-chain items). Four governance alerts (branch protection, code review, CII, fuzzing) and one MaintainedID alert require org settings or time — not code changes.

Branches

Branch Status Notes
main default / merged through #50 CI hardening landed
fix/scorecard-quality-security this PR Scorecard + supply-chain remediation
chore/ci-hardening merged (#50) npm 10.9.2 + verify.sh
dependabot/npm_and_yarn/npm-development-* open (#48) dev dep bump; verify/e2e red on main baseline

Test plan

  • ./scripts/verify.sh (lint + tsc + 338 unit tests)
  • CI green on this PR (supply-chain-audit, verify, e2e-smoke, CodeQL, Scorecard)
  • Re-run check-security-alerts.sh after merge to confirm alert count drops

Pin remaining GitHub Actions and base image digests, scope workflow
write permissions to jobs, remove tracked hook bytecode, and tighten
dependency overrides to reduce open vulnerability findings.
Copilot AI review requested due to automatic review settings July 12, 2026 15:43
@vercel

vercel Bot commented Jul 12, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
autonomous-ehs-management Ready Ready Preview, Comment Jul 12, 2026 3:45pm

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@SafetyMP SafetyMP merged commit a5346bf into main Jul 12, 2026
7 checks passed
@SafetyMP SafetyMP deleted the fix/scorecard-quality-security branch July 12, 2026 15:46
github-actions Bot pushed a commit that referenced this pull request Jul 12, 2026
## [1.4.7](v1.4.6...v1.4.7) (2026-07-12)

### Bug Fixes

* **security:** resolve Scorecard quality and supply-chain alerts ([#51](#51)) ([a5346bf](a5346bf))
@github-actions

Copy link
Copy Markdown

🎉 This PR is included in version 1.4.7 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants