chore(ci): replace scorecard.yml with reusable wrapper

[hyperpolymath]

Pins to hyperpolymath/standards#205 merge SHA e0caf11508a3989574713c78f5f444f2ce5e33ef. Replaces the canonical scorecard.yml with a thin wrapper. Closes the 5-candidate convergence set.

Estate audit: 258 deploys / 18% drift / 39% top-SHA share.

Part of estate-wide convergence campaign 2026-05-26 (standards#199 / #205).

[github-actions]

🔍 Hypatia Security Scan

Findings: 36 issues detected

Severity	Count
🔴 Critical	0
🟠 High	19
🟡 Medium	17

View findings

[
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "unwrap() without prior check -- DoS via panic (7 occurrences, CWE-754)",
    "type": "unwrap_without_check",
    "file": "/home/runner/work/robodog-ecm/robodog-ecm/src/rust/benches/ecm_bench.rs",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Download-and-execute pattern (curl|wget pipe to shell) -- verify integrity before execution (3 occurrences, CWE-494)",
    "type": "shell_download_then_run",
    "file": "/home/runner/work/robodog-ecm/robodog-ecm/setup.sh",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "Nominal-only SAST in robodog-ecm: codeql.yml language matrix contains no language present in the repo and lacks `actions`, so CodeQL records zero results on every commit. Remediation: set the CodeQL matrix to `language: actions`.",
    "type": "StaticAnalysis",
    "file": "/home/runner/work/robodog-ecm/robodog-ecm",
    "action": "auto_fix",
    "rule_module": "scorecard",
    "severity": "medium",
    "remediation": "Add CodeQL or equivalent SAST workflow.",
    "scorecard_check": "SAST"
  },
  {
    "reason": "Repository has 7 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Scorecard): TokenPermissionsID -- Token-Permissions -- 0 day(s) old",
    "type": "CSA001",
    "file": ".github/workflows/hypatia-scan.yml",
    "action": "update",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/code_safety/shell_download_then_run -- Hypatia code_safety: shell_download_then_run -- 4 day(s) old",
    "type": "CSA001",
    "file": "setup.sh",
    "action": "update",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/code_safety/unwrap_without_check -- Hypatia code_safety: unwrap_without_check -- 4 day(s) old",
    "type": "CSA001",
    "file": "src/rust/benches/ecm_bench.rs",
    "action": "update",
    "rule_module": "code_scanning_alerts",
    "severity": "high"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD009 -- Hypatia structural_drift: SD009 -- 9 day(s) old",
    "type": "CSA001",
    "file": "ffi/zig/src/main.zig",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD007 -- Hypatia structural_drift: SD007 -- 9 day(s) old",
    "type": "CSA001",
    "file": "0-AI-MANIFEST.a2ml",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence