feat(rules): WF018/WF019/WF020 + SD014 — 4 new CI/CD detection rules (closes #336/#337/#338/#390)#403
Merged
Merged
Conversation
…loses #336/#337/#338/#390) Adds four new rules surfaced by the 2026-05-30 estate sweep: - WF018 (workflow_audit.ex): scorecard.yml wrappers that delegate to standards' `scorecard-reusable.yml` but lack `security-events: write`. Estate baseline: 81 of 88 wrappers affected — every Scorecard run silently fails with `startup_failure`. Closes #390. - WF019 (workflow_audit.ex): in-tree `workflow-linter.yml` that greps for `uses:` across all workflow files without exempting itself or the sibling `scorecard-enforcer.yml` — the linter flags itself. Observed in ipv6-only#9/#10, file-soup#44, fireflag#30. Closes #337. - WF020 (workflow_audit.ex): companion to existing `check_codeql_language_matrix_mismatch`. Catches the positive case: codeql.yml that does not list `language: actions` in its matrix on a repo with workflow files. Closes #338. - SD014 (structural_drift.ex): `examples/SafeDOMExample.res` lingering without the canonical `.affine` replacement (ReScript banned in new code 2026-04-30). Two states: fail when `.res` only, warn when both dialects present. Closes #336. Each new check is wired into the corresponding module's audit/scan dispatcher and accompanied by sensitivity/specificity comment block documenting fire conditions. No new tests in this PR — test scaffolds will follow in a separate PR keyed to issue #333 cohort completion. Closes #336 Closes #337 Closes #338 Closes #390 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 30, 2026
Closed
hyperpolymath
pushed a commit
that referenced
this pull request
May 30, 2026
#403 WF018) PR #404 added scorecard_wrapper_missing_job_permissions to cicd_rules.ex, but PR #403 had concurrently implemented the same #390 detection as WF018 (check_scorecard_wrapper_missing_job_permissions) in workflow_audit.ex — its canonical home alongside WF019/WF020. This removes the redundant cicd_rules copy (rule, facade delegate, test, changelog entries); WF018 stays as the single implementation. Verified locally (Elixir 1.14): cicd_rules.ex compiles with zero warnings; format-isolation confirms a pure deletion with no pre-existing reformat. https://claude.ai/code/session_01J8oLNn6MjKDRRUF65e2jLf
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
…F018) (#407) PR #404 added scorecard_wrapper_missing_job_permissions to cicd_rules.ex, but #403 had concurrently implemented the same #390 detection as WF018 in workflow_audit.ex. Removes the redundant cicd_rules copy (rule, facade delegate, test, changelog); WF018 remains the single implementation. The #362 cron rule and #405 nodejs carve-outs are untouched. Verified locally (Elixir 1.14): zero-warning compile; format-isolation shows a pure deletion. https://claude.ai/code/session_01J8oLNn6MjKDRRUF65e2jLf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scorecard-reusable.ymlbut lacksecurity-events: write. Estate baseline: 81 of 88 wrappers affected — every Scorecard run silently fails withstartup_failure. Closes Add cicd rule: scorecard_wrapper_missing_job_permissions #390.workflow-linter.ymlthat greps foruses:across all workflow files without exempting itself or the siblingscorecard-enforcer.yml. The linter flags itself. Observed in ipv6-only#9/Bump webfactory/ssh-agent from 0.9.0 to 0.9.1 #10, file-soup#44, fireflag#30. Closes rule: detect workflow-linter.yml self-referential uses: grep #337.check_codeql_language_matrix_mismatch. Catches the positive case: codeql.yml that does not listlanguage: actionsin its matrix on a repo with workflow files. Closes rule: extend codeql_language_matrix_mismatch to also recommend language: actions #338.examples/SafeDOMExample.reslingering without the canonical.affinereplacement (ReScript banned in new code 2026-04-30). Two states: fail when.resonly, warn when both dialects present. Closes rule: detect SafeDOMExample.res (banned ReScript dialect, should be .affine) #336.Each new check is wired into the corresponding module's audit/scan dispatcher and accompanied by sensitivity/specificity comment block documenting fire conditions.
Test plan
Phoenix.Namingdue to an Elixir 1.14 vs Phoenix version issue, unrelated to this change)Closes
🤖 Generated with Claude Code