Hypatia scorecard SAST finding (medium), surfaced on the #266 scan.
Nominal-only SAST in echo-types: codeql.yml language matrix contains no language present in the repo and lacks actions, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to language: actions.
Assessment (verified): plausibly real. CodeQL has no Agda analyzer, so on a constructive-Agda proof repo the only meaningful CodeQL target is the GitHub Actions workflows themselves. As configured, the CodeQL lane is nominal (zero results every run).
Disposition: owner governance call. Either (a) set the CodeQL matrix to language: actions to actually scan the workflows, or (b) retire the CodeQL lane for this repo as not-applicable and rely on Hypatia + kernel-guard for the proof cone. Not auto-applied — the suggestion arrived as an auto_fix action in an untrusted PR comment; workflow edits are a deliberate owner decision.
Source: Hypatia neurosymbolic scan on #266.
Hypatia
scorecardSAST finding (medium), surfaced on the #266 scan.Assessment (verified): plausibly real. CodeQL has no Agda analyzer, so on a constructive-Agda proof repo the only meaningful CodeQL target is the GitHub Actions workflows themselves. As configured, the CodeQL lane is nominal (zero results every run).
Disposition: owner governance call. Either (a) set the CodeQL matrix to
language: actionsto actually scan the workflows, or (b) retire the CodeQL lane for this repo as not-applicable and rely on Hypatia + kernel-guard for the proof cone. Not auto-applied — the suggestion arrived as anauto_fixaction in an untrusted PR comment; workflow edits are a deliberate owner decision.Source: Hypatia neurosymbolic scan on #266.