Hypatia code_scanning_alerts CSA001 + CSA003 (both high), surfaced on the #266 scan.
Code scanning (Scorecard): TokenPermissionsID — Token-Permissions — 19 day(s) old [STALE] at .github/workflows/scorecard.yml (threshold: 7 days) — overdue for remediation.
Assessment (verified): genuine, pre-existing (predates the close-out session), independent of any docs change. CSA001 and CSA003 are the same underlying alert (stale + overdue framings). The ledger classifies scorecard.yml under the billing-wall "pattern B" parking, but least-privilege permissions: hardening (the Token-Permissions remediation) is separate from the billing issue and worth doing on its own.
Disposition: owner governance call. Remediation = pin explicit least-privilege permissions: blocks in .github/workflows/scorecard.yml (and confirm the code-scanning alert clears). Not auto-applied — workflow/security changes are deliberate owner actions.
Source: Hypatia neurosymbolic scan on #266.
Hypatia
code_scanning_alertsCSA001 + CSA003 (both high), surfaced on the #266 scan.Assessment (verified): genuine, pre-existing (predates the close-out session), independent of any docs change. CSA001 and CSA003 are the same underlying alert (stale + overdue framings). The ledger classifies
scorecard.ymlunder the billing-wall "pattern B" parking, but least-privilegepermissions:hardening (the Token-Permissions remediation) is separate from the billing issue and worth doing on its own.Disposition: owner governance call. Remediation = pin explicit least-privilege
permissions:blocks in.github/workflows/scorecard.yml(and confirm the code-scanning alert clears). Not auto-applied — workflow/security changes are deliberate owner actions.Source: Hypatia neurosymbolic scan on #266.