Scorecard Exceptions and Remediation Plan¶
This page records OpenSSF Scorecard findings that are not immediate code vulnerabilities and explains the current project policy, accepted risk, and remediation path.
Current accepted exceptions¶
| Check | Current status | Rationale | Remediation path |
|---|---|---|---|
| Branch-Protection | Accepted temporary exception | main is protected by a GitHub ruleset that blocks deletion and force-pushes, requires pull requests, requires linear history, requires CI/CodeQL/Gitleaks checks, and requires resolved review threads. Required human approval, code-owner review, and last-push approval are intentionally not enabled while the repository has a single trusted maintainer because doing so can block routine maintenance and security fixes. |
Enable required approvals, code-owner review, and last-push approval after adding a second trusted maintainer with verified signing and review availability. |
| Code-Review | Accepted temporary exception | Recent changes are single-maintainer changes. Bot review and automated analysis are not a substitute for independent human review, so Scorecard correctly cannot award full credit yet. | Recruit at least one additional trusted maintainer and require independent human review for protected-branch merges. |
| Maintained | Accepted time-based exception | The repository is new, and Scorecard intentionally treats projects younger than 90 days as too new to assess long-term maintenance. | Re-run Scorecard after the repository has more than 90 days of public history and weekly maintenance activity. |
| SAST | Monitoring | CodeQL is configured for Python and JavaScript/TypeScript and runs on pull requests, pushes to main, schedules, and manual dispatches. Scorecard currently reports partial credit because recent commit history is still catching up with SAST evidence. |
Continue running CodeQL on every protected branch change; the signal should improve as reviewed/merged changes accumulate with CodeQL results. |
| CII-Best-Practices | Pending external form update | The repository has local evidence for OpenSSF Best Practices, but the public OpenSSF badge remains InProgress until the external Best Practices form is completed and submitted. |
Complete the OpenSSF Best Practices checklist using docs/openssf-best-practices.md evidence links, then re-run Scorecard. |
Findings remediated in this hardening pass¶
- CodeQL
js/path-injectionfindings were remediated bySafeFsPathvalidation and upload-root containment in the ChatGPT Apps SDK integration. - Scorecard
Pinned-Dependenciesfindings for the container build were remediated by replacing Dockerfilepip installsteps with a digest-pinneduvimage anduv-based install steps. - Scorecard
Fuzzingwas remediated by adding an Atheris fuzz target and scheduled fuzz workflow.
Review policy¶
Accepted Scorecard exceptions must be revisited before each release and after any maintainer or repository-permission change. Do not dismiss a finding without either fixing it or documenting the accepted-risk rationale here.