PR #1170 promotes secret/dependency/SAST scans into the required lane. gitleaks (PR-scoped, clean) and bundle-size are hard-enforcing. dependency and SAST ship required-but-advisory (enforce-findings: false) because the repo has a pre-existing baseline that must be remediated before hard-enforcement is safe; flipping them is a one-line, tracked follow-up.
Dependency baseline (diagnosed)
dotnet list backend/Taskdeck.sln package --vulnerable reports NuGet.CommandLine 5.11.5 (Critical, GHSA-68w7-72jg-6qpp) in Api, Infrastructure, Cli, and all test projects. dotnet nuget why shows it is a spurious transitive of Microsoft.Recognizers.Text 1.8.13 (Recognizers.Text → NuGet.CommandLine) — a known erroneous nuspec dependency; nuget.exe is not used at runtime.
Fix plan: override the transitive to a non-vulnerable version, e.g. a PackageReference Include="NuGet.CommandLine" Version="7.6.0" (latest) with ExcludeAssets="all" so it does not deploy, placed where it propagates to the shipped projects (Infrastructure / a scoped Directory.Build.props). Verify locally that dotnet list --vulnerable clears for the whole solution, then flip dependency-security back to enforce-findings: true in ci-required.yml.
SAST baseline
With the setuptools<81 crash fixed (#1170), Semgrep now actually scans and surfaces pre-existing ERROR-level findings. Triage them: fix the actionable ones; suppress genuine false positives via .semgrepignore / inline # nosemgrep (documented). Then flip sast-scan to enforce-findings: true.
Also
Depends on #1174 (per-advisory dependency allowlist) for a durable break-glass, and #1173 (register the check contexts in branch protection). See ADR-0035.
PR #1170 promotes secret/dependency/SAST scans into the required lane. gitleaks (PR-scoped, clean) and bundle-size are hard-enforcing. dependency and SAST ship required-but-advisory (
enforce-findings: false) because the repo has a pre-existing baseline that must be remediated before hard-enforcement is safe; flipping them is a one-line, tracked follow-up.Dependency baseline (diagnosed)
dotnet list backend/Taskdeck.sln package --vulnerablereports NuGet.CommandLine 5.11.5 (Critical, GHSA-68w7-72jg-6qpp) inApi,Infrastructure,Cli, and all test projects.dotnet nuget whyshows it is a spurious transitive ofMicrosoft.Recognizers.Text1.8.13 (Recognizers.Text → NuGet.CommandLine) — a known erroneous nuspec dependency; nuget.exe is not used at runtime.Fix plan: override the transitive to a non-vulnerable version, e.g. a
PackageReference Include="NuGet.CommandLine" Version="7.6.0"(latest) withExcludeAssets="all"so it does not deploy, placed where it propagates to the shipped projects (Infrastructure / a scoped Directory.Build.props). Verify locally thatdotnet list --vulnerableclears for the whole solution, then flipdependency-securityback toenforce-findings: trueinci-required.yml.SAST baseline
With the setuptools<81 crash fixed (#1170), Semgrep now actually scans and surfaces pre-existing ERROR-level findings. Triage them: fix the actionable ones; suppress genuine false positives via
.semgrepignore/ inline# nosemgrep(documented). Then flipsast-scantoenforce-findings: true.Also
Depends on #1174 (per-advisory dependency allowlist) for a durable break-glass, and #1173 (register the check contexts in branch protection). See ADR-0035.