You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The first-week SAST triage (scheduled for 2026-05-04) could not run because PR #54 has not been merged into main.
Why this blocks the triage
The three CI workflows introduced in PR #54 — Dependabot, CodeQL, and Bandit — only run on the branches/commits where the workflow files exist. Until PR #54 lands on main:
CodeQL has never scanned the full tests_source/ tree on the default branch, so the Security tab's code-scanning alerts are either empty or sourced only from the PR head commit (not a stable baseline).
Bandit has not scanned utils/ or limacharlie-iac/scripts/ on main.
Dependabot is configured in .github/dependabot.yml on the feature branch; Dependabot does not open PRs until that file is present on the default branch.
Running triage against PR-head-only results would produce a misleading baseline and miss the full alert set that appears after a real main-branch scan.
Wait for the first CodeQL scan to complete on main (typically ~10–20 min after merge, triggered by the push event).
Re-run this triage once the Security tab shows alerts from a main-branch scan — the triage script expects gh api repos/ubercylon8/f0_library/code-scanning/alerts to return results tied to the default branch.
Ambiguities noted
It is unclear whether PR ci: add Dependabot, CodeQL, and Bandit workflows (report-only) #54 is blocked on review, or simply hasn't been actioned yet. If it is blocked on a specific concern, please document that on the PR itself so the triage can be rescheduled accordingly.
Summary
The first-week SAST triage (scheduled for 2026-05-04) could not run because PR #54 has not been merged into
main.Why this blocks the triage
The three CI workflows introduced in PR #54 — Dependabot, CodeQL, and Bandit — only run on the branches/commits where the workflow files exist. Until PR #54 lands on
main:tests_source/tree on the default branch, so the Security tab's code-scanning alerts are either empty or sourced only from the PR head commit (not a stable baseline).utils/orlimacharlie-iac/scripts/onmain..github/dependabot.ymlon the feature branch; Dependabot does not open PRs until that file is present on the default branch.Running triage against PR-head-only results would produce a misleading baseline and miss the full alert set that appears after a real main-branch scan.
PR #54 current state
feat/security-workflows-tier3mainRecommended next steps
main. The workflows ship withcontinue-on-error: trueso they are non-blocking.main(typically ~10–20 min after merge, triggered by thepushevent).main-branch scan — the triage script expectsgh api repos/ubercylon8/f0_library/code-scanning/alertsto return results tied to the default branch.Ambiguities noted
Auto-filed by triage agent on 2026-05-04. Re-run triage after PR #54 merges.