Skip to content

Baseline supply-chain & secret hygiene: gitleaks, pip-audit/npm audit/cargo-audit, dependabot #503

Open
Open
Baseline supply-chain & secret hygiene: gitleaks, pip-audit/npm audit/cargo-audit, dependabot#503
Labels
enforcement-baselineDeterministic security enforcement cluster (consistency audit 2026-06-09, ADR-401)enhancementNew feature or requestsecuritySecurity-related changes

Description

@aaronsb
aaronsb
opened on Jun 9, 2026

ADR-401 item 7 · Audit: docs/security/security-consistency-audit-2026-06-09.md (F7)

None of the standard off-the-shelf hygiene runs anywhere: no secret scanning, no dependency auditing, no dependabot config. This is wiring, not authoring — the project has strong domain-specific linters but zero baseline tooling.

Acceptance criteria

  • gitleaks (or equivalent) workflow on PRs + a one-time full-history scan
  • pip-audit (api), npm audit (cli, web), cargo audit (graph-accel) in CI — informational at first, blocking for high/critical after the initial triage
  • .github/dependabot.yml covering pip, npm, cargo, and github-actions ecosystems
  • Initial findings triaged (separate follow-ups if anything real surfaces)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enforcement-baselineDeterministic security enforcement cluster (consistency audit 2026-06-09, ADR-401)enhancementNew feature or requestsecuritySecurity-related changes

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions