Skip to content

Harden CI/security: CodeQL + Dependabot + coverage gate + SECURITY (pilot)#1

Merged
Jott2121 merged 3 commits into
mainfrom
harden/ci-security
Jun 17, 2026
Merged

Harden CI/security: CodeQL + Dependabot + coverage gate + SECURITY (pilot)#1
Jott2121 merged 3 commits into
mainfrom
harden/ci-security

Conversation

@Jott2121

Copy link
Copy Markdown
Owner

What

Pilot of a uniform reliability/security standard for the flagship repos. This makes the repo's quality bar visible in the GitHub UI (Security tab, required checks, badges) while genuinely hardening it.

Added

  • CodeQL (security-extended) on push / PR / weekly → populates the Security tab
  • Dependabot — weekly pip + github-actions update PRs
  • Coverage gateci.yml now runs --cov-fail-under=90 across Python 3.11–3.13 (measured 96%), plus a self-contained coverage badge + per-PR comment (no third-party service)
  • SECURITY.md — private vulnerability disclosure policy
  • Supply-chain hardening — least-privilege permissions: blocks; every Action pinned to a full commit SHA
  • README — CodeQL + coverage badges and a "this repo gates itself" section

Verified locally

  • pytest --cov=agent_gate --cov-fail-under=90pass, 96%, 17 tests
  • coverage-job commands (coverage run -m pytest && coverage report) → pass
  • all workflow + dependabot YAML parse clean

Note

The coverage badge resolves once this merges to main (the badge data branch is created on the first main run). Branch protection (require CI + CodeQL green) will be enabled after merge.

🤖 Generated with Claude Code

…tions to SHAs

Hardens the repo's quality/security surface and makes it legible in the GitHub UI:

- codeql.yml: security-extended SAST on push / PR / weekly (populates Security tab)
- dependabot.yml: weekly pip + github-actions update PRs
- ci.yml: coverage-gated matrix (--cov-fail-under=90; currently 96% covered) plus a
  self-contained coverage badge + per-PR coverage comment; least-privilege
  permissions: block; all actions pinned to full commit SHAs
- SECURITY.md: private vulnerability disclosure policy
- README: CodeQL + coverage badges and a "this repo gates itself" section
- .gitignore: ignore coverage artifacts

Pilot for a uniform standard rolling to rag-guard, agent-cost-attribution,
fleet-mode, and bow.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

…esolves paths

The coverage badge/comment job failed with 'No source for code' because the
action runs its own coverage binary against absolute paths from the runner.
relative_files=true (the action's documented requirement) stores relative paths.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown

Coverage report

This PR does not seem to contain any modification to coverable code.

…SHAs

QC follow-ups from the independent review:
- add tests for get_gate() lookup + fail-closed unknown-gate error (gate.py 100%)
- pin actions/checkout, setup-python, and gh-action-pypi-publish in publish.yml
  to commit SHAs, so 'every Action is SHA-pinned' is literally true
- README: coverage note 96% -> 97%

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Jott2121 Jott2121 merged commit 8122d42 into main Jun 17, 2026
6 checks passed
@Jott2121 Jott2121 deleted the harden/ci-security branch June 17, 2026 23:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants