Driver
The release-gated Security Scan (semgrep r/bash, added #487) failed on its first real run (v2.3.0 tag, run 26980436235): 0 ERROR and 4 WARNING findings. It's configured SEMGREP_FAIL_SEVERITY=WARNING, so any WARNING reds the scan. It runs on the tag push (post-merge) so it did NOT block v2.3.0 — but it will red every release until addressed. Classic brand-new-strict-gate-meets-existing-debt.
Scope
Pick one (decide in the ticket):
- (a) Relax the gate to fail-on-ERROR — set
SEMGREP_FAIL_SEVERITY=ERROR in golden-paths/pipelines/security.yml (and the framework's own .github/workflows/security-scan.yml), keeping WARNING as advisory in the step summary. Recommended — a new scan shouldn't hard-fail releases on pre-existing low-severity lint.
- (b) Fix/suppress the 4 WARNING findings — pull the 4 from the run, fix or add
# nosemgrep: <rule> with justification.
Either way, document the chosen severity policy.
Acceptance Criteria
Glossary
| Term |
Definition |
| SEMGREP_FAIL_SEVERITY |
The threshold at/above which a semgrep finding fails the CI job (WARNING vs ERROR). |
| release-gated scan |
A security scan that runs on the release tag push rather than on every PR. |
Driver
The release-gated Security Scan (semgrep
r/bash, added #487) failed on its first real run (v2.3.0 tag, run 26980436235):0 ERROR and 4 WARNING findings. It's configuredSEMGREP_FAIL_SEVERITY=WARNING, so any WARNING reds the scan. It runs on the tag push (post-merge) so it did NOT block v2.3.0 — but it will red every release until addressed. Classic brand-new-strict-gate-meets-existing-debt.Scope
Pick one (decide in the ticket):
SEMGREP_FAIL_SEVERITY=ERRORingolden-paths/pipelines/security.yml(and the framework's own.github/workflows/security-scan.yml), keeping WARNING as advisory in the step summary. Recommended — a new scan shouldn't hard-fail releases on pre-existing low-severity lint.# nosemgrep: <rule>with justification.Either way, document the chosen severity policy.
Acceptance Criteria
Glossary