Security Scanning
Two-track security scanning policy (spec: docs/superpowers/specs/2026-04-16-security-scan-severity-policy-design.md): the PR gate blocks only HIGH/CRITICAL, while a daily scheduled scan tracks everything MEDIUM+ as GitHub issues.
Two-Track Policy
| Tool | PR-gate (blocks merge) | Scheduled scan (daily 02:00 UTC, *-latest images) |
|---|---|---|
| Trivy | HIGH/CRITICAL | MEDIUM+ → tracking issue + auto-ignore PR |
| npm audit | HIGH/CRITICAL (with ignore list) | MODERATE+ → tracking issue |
| bun audit | HIGH/CRITICAL | MODERATE+ → tracking issue |
| Semgrep | error level (HIGH/CRITICAL) | error + warning → tracking issue + auto-ignore PR |
| Gitleaks | All findings | All findings |
MODERATE/MEDIUM findings never block a PR — they surface as tracking issues with an SLA instead.
Workflows
| Workflow | Trigger | Purpose |
|---|---|---|
.github/workflows/security-scan.yml | workflow_call from pr-preview.yml + daily 02:00 UTC | PR-gate scans (all 5 tools) |
.github/workflows/security-scan-scheduled.yml | Daily 02:00 UTC + Mondays 08:00 UTC | Scheduled MEDIUM+ scan of *-latest images; Monday cron posts the weekly Teams digest |
.github/workflows/container-security-scan.yml | workflow_call on image build | Trivy container-specific scan |
Results report to the GitHub Security Tab (Code Scanning) and as PR comments.
Reconciliation (scripts/security-scan-reconcile/)
TypeScript tooling that turns scheduled-scan findings into process:
reconcile.ts— creates/updates one tracking issue per finding, opens auto-ignore PRs for accepted findingspr-gate-filter.ts— severity-aware filter so the PR gate honours the ignore list (HIGH/CRITICAL only)digest.ts— weekly Teams digest of open findings- SLA: MEDIUM findings get GitHub issues, labelled
security:overdueat 60 days
Renovate handles vulnerability-driven dependency bumps (vulnerabilityAlerts in renovate.json5).
False Positive Management
| Tool | Config File | Purpose |
|---|---|---|
| Semgrep | .semgrepignore (repo root) | Exclude paths/rules |
| Trivy | .trivyignore (repo root + renewa-one/.trivyignore) | Ignore specific CVEs |
| Gitleaks | .gitleaks.toml (repo root) | Exclude known safe patterns |
CVE ignore example — when a vulnerability has no available fix:
# .trivyignore
CVE-2026-32280 # Atlas Go stdlib x509 DoS - no upstream fix
Key Principles
- PR-gate scans feed the
ci-gaterequired check (see CI-CD Workflows) — only HIGH/CRITICAL block - Scheduled daily scans catch newly disclosed CVEs in already-shipped images
- Coding Guidelines enforce secure coding patterns (XSS protection, input sanitization)
- App secrets live in Infisical EU, not GitHub environment secrets (fixed PR#1930); GitHub secrets are CI-infra credentials only
Key Files
.github/workflows/security-scan.yml.github/workflows/security-scan-scheduled.yml.github/workflows/container-security-scan.ymlscripts/security-scan-reconcile/.trivyignore,.semgrepignore,.gitleaks.tomldocs/superpowers/specs/2026-04-16-security-scan-severity-policy-design.md
See Also
- CI-CD Workflows — workflow integration
- Scripts — reconcile tooling
- Coding Guidelines — secure coding standards
- Git Workflow —
ci-gatebranch protection