fix(k9): correct security levels + deploy pedigree (Validate K9 contracts)#66
Merged
Conversation
…tracts passes
Three K9 contract errors flagged by k9-validate: coordination.k9 and session/custom-checks.k9 set security_level "data-only", which is not a valid level (must be kennel|yard|hunt) — set to "kennel" to match their leash=Kennel and 'no network/write/subprocess' intent. container/deploy.k9.ncl: the validator scans for a word-boundary 'pedigree = {' block, but this template used 'let component_pedigree = {' (unmatched), so it fell back to the 'pedigree = component_pedigree' reference and reported name/version/security_level missing — renamed the binding to 'pedigree', added the top-level security_level="hunt" the header comment already promised, and updated the export reference.
Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PWMMxryCcPrAjJ8tuGvygG
🔍 Hypatia Security ScanFindings: 22 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in rsr-antipattern.yml",
"type": "unanchored_heading_regex",
"file": "rsr-antipattern.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/nextgen-typing/nextgen-typing/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 24,
"reason": "Secret found: Generic API key",
"type": "secret_detected",
"file": "/home/runner/work/nextgen-typing/nextgen-typing/.envrc",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in nextgen-typing: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/nextgen-typing/nextgen-typing",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 6 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): FuzzingID -- Fuzzing -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): MaintainedID -- Maintained -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Scorecard): CodeReviewID -- Code-Review -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
…n read
k9-validate scans for a line-anchored literal 'pedigree = {' field and cannot follow the 'let component_pedigree' indirection (it was matching the bare 'pedigree = component_pedigree' reference and reporting all fields missing). Inline a visible pedigree block with schema_version/component_type/security_level/metadata.name, merged (& component_pedigree) with the full L1-L5 pedigree so nothing is lost. Mirrors the passing template-hunt.k9.ncl shape.
Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PWMMxryCcPrAjJ8tuGvygG
🔍 Hypatia Security ScanFindings: 22 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in rsr-antipattern.yml",
"type": "unanchored_heading_regex",
"file": "rsr-antipattern.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/nextgen-typing/nextgen-typing/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 24,
"reason": "Secret found: Generic API key",
"type": "secret_detected",
"file": "/home/runner/work/nextgen-typing/nextgen-typing/.envrc",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in nextgen-typing: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/nextgen-typing/nextgen-typing",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 6 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): FuzzingID -- Fuzzing -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): MaintainedID -- Maintained -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Scorecard): CodeReviewID -- Code-Review -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🔍 Hypatia Security ScanFindings: 22 issues detected
View findings[
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in rsr-antipattern.yml",
"type": "unanchored_heading_regex",
"file": "rsr-antipattern.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
"type": "shell_download_then_run",
"file": "/home/runner/work/nextgen-typing/nextgen-typing/setup.sh",
"action": "flag",
"rule_module": "code_safety",
"severity": "high"
},
{
"line": 24,
"reason": "Secret found: Generic API key",
"type": "secret_detected",
"file": "/home/runner/work/nextgen-typing/nextgen-typing/.envrc",
"action": "revoke_rotate_and_purge",
"rule_module": "security_errors",
"severity": "critical"
},
{
"reason": "Nominal-only SAST in nextgen-typing: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
"type": "StaticAnalysis",
"file": "/home/runner/work/nextgen-typing/nextgen-typing",
"action": "auto_fix",
"rule_module": "scorecard",
"severity": "medium",
"remediation": "Add CodeQL or equivalent SAST workflow.",
"scorecard_check": "SAST"
},
{
"reason": "Repository has 4 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): FuzzingID -- Fuzzing -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Scorecard): MaintainedID -- Maintained -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
},
{
"reason": "Code scanning (Scorecard): CodeReviewID -- Code-Review -- 7 day(s) old",
"type": "CSA001",
"file": "no file associated with this alert",
"action": "update",
"rule_module": "code_scanning_alerts",
"severity": "high"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Clears the three pre-existing
Validate K9 contractserrors (separate from the now-merged hypatia fix; flagged on #64/#65 as unrelated).The two simple ones — invalid security level:
coordination.k9andsession/custom-checks.k9setsecurity_level = "data-only", which isn't a valid K9 level (kennel|yard|hunt). Both declareleash = "Kennel"and "no network/write/subprocess access" in their headers, so the correct value is"kennel".The template —
container/deploy.k9.ncl:The k9 validator scans for a word-boundary
pedigree = {block. This template's block waslet component_pedigree = {(thecomponent_prefix means it doesn't match), so the validator fell back to line 156'spedigree = component_pedigree— a reference with no fields — and reportedname/version/security_levelall missing. Fix:component_pedigree→pedigree(now the real block matches);security_level = "hunt"the header comment already claimed was there (it's a Hunt-level component);Validation: this PR's own
Validate K9 contractscheck is the empirical test — if it goes green, all three are cleared. The deploy.k9.ncl fix is based on the validator's apparent word-boundary matching; if the check shows a different residual error I'll adjust.🤖 Generated with Claude Code
https://claude.ai/code/session_01PWMMxryCcPrAjJ8tuGvygG
Generated by Claude Code