Skip to content

chore: integrate with latest gemara layer4 #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore: integrate with latest gemara layer4 #157

wants to merge 1 commit into from

Conversation

trumant
Copy link
Contributor

@trumant trumant commented Sep 28, 2025

This was tested against the revanite-io/example-osps-baseline-level-1 repository and produced:

Running in debug mode
2025-09-28T09:07:11.293-0400 [WARN]  OSPS-AC-01.01: Not evaluated. Two-factor authentication evaluation requires a token with org:admin permissions, or manual review
2025-09-28T09:07:11.293-0400 [INFO]  OSPS-AC-02.01: This control is enforced by GitHub for all projects
2025-09-28T09:07:11.293-0400 [WARN]  OSPS-AC-03.01: Branch protection rule does not restrict pushes or require approving reviews; Rulesets not yet evaluated.
2025-09-28T09:07:11.293-0400 [INFO]  OSPS-AC-03.02: Branch protection rule prevents deletions
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-BR-01.01: GitHub Workflows variables do not contain untrusted inputs
2025-09-28T09:07:11.778-0400 [WARN]  OSPS-BR-01.02: Not implemented
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-BR-03.01: All links use HTTPS
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-BR-03.02: No official distribution points found in Security Insights data
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-DO-01.01: User guide was specified in Security Insights data
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-DO-02.01: Repository accepts vulnerability reports
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-GV-02.01: Issues are enabled for the repository
2025-09-28T09:07:11.778-0400 [INFO]  OSPS-GV-03.01: Contributing guide specified in Security Insights data (Bonus: code of conduct location also specified)
2025-09-28T09:07:12.018-0400 [WARN]  OSPS-LE-02.01: All license found are OSI or FSF approved
2025-09-28T09:07:12.018-0400 [WARN]  OSPS-LE-02.02: All license found are OSI or FSF approved
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-LE-03.01: License was found in a well known location via the GitHub API
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-LE-03.02: No releases found
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-QA-01.01: Repository is public
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-QA-01.02: This control is enforced by GitHub for all projects
2025-09-28T09:07:12.018-0400 [WARN]  OSPS-QA-02.01: No dependency manifests found in the GitHub dependency graph API. Review project to ensure dependencies are managed.
2025-09-28T09:07:12.018-0400 [INFO]  OSPS-QA-04.01: Insights contains a list of repositories
2025-09-28T09:07:12.420-0400 [INFO]  OSPS-QA-05.01: No common binary file extensions were found in the repository
2025-09-28T09:07:12.420-0400 [INFO]  OSPS-VM-02.01: Security contacts were specified in Security Insights data
2025-09-28T09:07:12.420-0400 [ERROR] > test_OSPS_B: 11 Passed, 5 Warnings, 0 Failed

@trumant trumant mentioned this pull request Sep 28, 2025
Merged
@kusari-inspector Kusari Inspector
Copy link

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While the code analysis shows zero security vulnerabilities across all scanned files, the dependency analysis reveals critical supply chain security risks that override the clean code findings. The PR replaces established organizational packages (privateerproj/privateer-sdk, ossf/gemara) with personal fork packages from github.com/trumant that lack security scorecard data and use pseudo-versions instead of stable releases. Supply chain security risks take precedence over clean code analysis, as compromised dependencies can introduce threats regardless of code quality. The migration from official organizational packages to personal forks requires security verification, proper versioning, and justification before proceeding.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

  • Verify the legitimacy and security of the personal fork packages github.com/trumant/privateer-sdk and github.com/trumant/gemara before proceeding. Confirm these are authorized replacements for the official packages.
  • Request that the new dependencies use proper semantic versioning and tagged releases instead of pseudo-versions (commit-based versions) for better dependency management and security tracking.
  • Conduct a security review of the trumant GitHub account and repositories to ensure they meet your organization's supply chain security standards before adopting these dependencies.
  • Consider reaching out to the maintainers to understand why the migration from official packages (privateerproj, ossf) to personal forks is necessary and whether official alternatives exist.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 719fc94, performed at: 2025-09-28T13:10:42Z

Found this helpful? Give it a 👍 or 👎 reaction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

maintenance

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@trumant